CertSimple will be shutting down on January 30 2020. Read the announcement here.
At the CABForum on June 12th 2019, Google announced that website verification markers will no longer be displayed in future versions of Chrome.
Verification for websites is performed using EV SSL/TLS certs. These involve checking the company's registration and operating status with the government, calling the phone number published on a specific set of trusted sites (CertSimple certs typically use Google My Business), verifying the person who ordered the certificate has the authority to do so, and potentially other steps dependent on the type of legal entity.
You'll see the verification markers now at your bank, GitHub, Apple, Steam and any number of high profile sites, particularly where they're concerned about phishing, unofficial sites, affiliates, proving a real world identity is behind a website, or linking to a known brand from an unusual domain. But in a few months time you won't see them in Chrome.
EV markers are a more modern version of the original SSL in the 90s, which required companies to fill out a certificate request (CSR) containing the company name and location, then prove their identities to a CA before a certificate is issued.
The original SSL process involved verifying all the fields in the certificate request before the certificate was issued
In 2003, GeoTrust removed identity checks and began issuing certs to anyone with a domain (DV SSL), saving themselves huge amounts of money, but also removing a great deal of trust about who you were connecting to when you visited a secure site. EV, created in 2007, re-added verification, standardised the process and added specific verification markers to browsers.
There have been a number of issues that have been affecting EV certs for a while:
Verification markers used in browsers don't resemble the more modern verification markers used on all other platforms. People know a blue tick on Twitter, Facebook, Whatsapp is a verified profile, but they don't know a green bar saying 'Apple Inc' means this is Apple. This is fixable, but see the next point.
Neither CAs nor browsers have done any research into the effectiveness of their current verification interfaces vs alternatives. There's some effort in this direction, but it hasn't been enough.
In the US specifically, business name homonym attacks have become an issue. Efforts to focus on verifying trademarks (
Stripe (Payments) US) would have largely resolved this, but haven't been successful.
Policy for how Chrome - and therefore how the internet - handles identity (or whether should handle identity at all) is the responsibility of a single person at Google. I've had a fairly long conversations with this person about how users could know the real world identity behind a website, and the best they've ever come up with is that the website 'doesn't look right' and 'the domain name isn't well known'. But even Google publish various sites at unofficial sounding domain names. It's important to know whether these actually represent Google. Signed exchanges could address this issue in future, but have their own set of technical challenges, and only addresses identity issues for companies with well-known domain names. Ultimately, the impression I get is that identity is too complex an issue for browser makers to address anymore.
CertSimple is a tiny player in the certificate space. We've been focusing on developing technology rather than trying to drive the industry. My CA partner DigiCert have been doing an excellent job trying to push identity on the web forward, but the wider CA industry is slow and it's difficult for a CA to act unilaterally. That slowness has made the web a little less trustworthy as a result - and now on September 10 Chrome 77 will remove verification markers. The feature isn't mentioned in Chrome's schedule, but you'll see it if you visit any EV site.
As a result, we'll be shutting down CertSimple on January 30th 2020.
CertSimple's been a labour of love for quite some time. As a system administrator, I remember finding out CAs had dropped verification back in the mid 2000s. At the beginning of 2015, frustrated with the process of GoDaddy taking months to verify a company, I started hacking on CertSimple.
I'm proud of what CertSimple has achieved:
Over the next few days, we'll be contacting customers and sending them a migration plan. EV certificates are still useful in particular cases (Tor is an excellent example - Tor 'domain names' mean even less than regular domain names), and they'll still work in non-Chrome browsers, but it would be wrong to pretend that verification is not hugely diminished at this point.
Meanwhile, you can find me over at my new company BoomSaaS, where we're helping developers turn code into full-featured SAAS products instantly.
Mike MacCana, founder at CertSimple.
An EV HTTPS certificate verifies the company behind your website. But getting verified is a slow painful process. CertSimple provides EV HTTPS certificates 40x faster than other vendors. We check your company registration, network details, physical address and flag common errors before you pay us, provide verification steps specific for your company, update in realtime during the process, and even check your infrastructure to help you set up HTTPS securely.
Verify your site now!