Browsers should once again clearly distinguish between “encrypted” and “trustworthy” – bring back identity display for OV/EV
Introduction
Today, every domain with a free DV certificate looks almost as “trustworthy” in the browser as a costly verified company identity (OV/EV). Encryption works - but the signal for genuine identity has become virtually invisible to normal users. This helps phishing and fraud.
Main text
We call on browser manufacturers (Chrome/Chromium, Firefox, Safari/WebKit, Edge) and the CA/Browser Forum to:
- Provide clear, standardized identification of identity: For OV/EV certificates, the verified organization name should be visible and easily recognizable again – not hidden behind several clicks.
- Better UX instead of marketing icons: A neutral, space-saving solution (e.g., a uniform “Verified Company” label/badge, optionally expandable) makes more sense than a confusing uniform lock that only signals “encrypted.”
- Information directly in the browser: When clicking on the lock, it must be clearly explained: “Encrypted” ≠ “reputable.” DV confirms domain control, not the identity of the operator.
- Make abuse more difficult: Browsers should display identity information consistently and highlight it more prominently when no verified organization exists (e.g., on login/payment pages) to make phishing less effective.
The lock icon could use the following colors for this purpose:
- DV (free of charge) = As currently (white lock frame, transparent)
- DV (subject to a fee) = Completely filled in gray
- OV = Completely filled in orange
- EV = Completely filled in green
In addition, data could be viewed without having to click on it, simply by hovering over it...
Change to data displayed
Currently, OV certificates show not only the issuer of the certificate but also the address details of the certificate applicant. However, these can only be viewed in the certificate details, which can only be accessed with four clicks! This data could simply be displayed directly, as is the case with EV, when hovering over the icon...
Secure connections are important – but users need a useful signal again to show who is behind a site. The current situation makes it almost impossible for laypeople to quickly distinguish between “any domain” and “a verifiably verified company.”
Justin Nogossek Contact the author of the petition