Credit: ID 136960342 © Raffaele1 | Dreamstime.com
Google on Tuesday released Chrome version 77 for all platforms bringing fixes for dozens of security flaws and small but important change to how some HTTPS sites are displayed in the beginning of URL bar.
There aren’t many new features added in Chrome 77 and not much has changed to how it looks, however it does fix 52 security flaws, including one critical bug and 9 high severity flaws, making it the largest set of security fixes in the past few months.
The one critical flaw fixed in this update was the bug tracked as CVE-2019-5870, described by Google simply as a “use-after-free in media” that was reported by Guang Gong, a researcher with Qihoo 360’s Alpha Team on August 29 or 12 days prior to Chrome 77’s release date. No further details were provided.
The same researcher found three more flaws affecting Chrome below version 77, including two high-severity flaws in Google’s V8 JavaScript engine for Chrome and a medium severity flaw in that engine.
In Chrome 77 Google has followed through with a change to how it displays extended validation (EV) SSL certificates for HTTPS websites that it announced in mid-August. To users, these may have been recognizable as the green letters or green space at the beginning of the URL bar displaying the full name of the company that owns the EV SSL certificate.
Firefox-maker Mozilla and Google decided last month that EV certificates weren’t serving their intended purpose of thwarting phishing attempts. Also, none of the top 10 websites in the world, such as Google, Facebook and Twitter use EV certificates, but they’ve remained commonly used by banks.
Announcing the change coming in Chrome 77, Google bluntly stated of EV certificates: “Users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed, as would be necessary for EV UI to provide meaningful protection.”
And the company argued that this space, right up front in the URL bar, is valuable and tightly packed real-estate. At the same time, certificate authorities (CAs) can earn extra cash through additional identity validation procedures required for EV certificates.
As of Chrome 77, EV certificate details will be hidden behind the lock icon in the browser’s address bar. Mozilla will adopt the same change to how it displays EV certificates in Firefox 70 out in October. Apple stopped displaying EV certificate indicators in Safari last year, meaning the EV certificate is effectively dead.
There are other problems with EV certificates that cause problems for businesses which continue to buy them. UK security researcher Scott Helme today boasted that he’d managed to get $1 million worth of EV certificates -- valued at around $250 each -- revoked, because the “extended” part of the validation process for these certificates was missing in many cases.
He points to the case of SAS or Scandinavian Airlines, which has head offices across the Nordics. The company provided a CA its Danish company number but registered a certificate for the company's offices in Sweden. The certificate had to be revoked, even though it wasn’t a serious issue.
CAs are meant to manually check domain name requests to confirm the identity of an applicant is legitimate. An approved certificate also stores the registered serial number of the organization and their physical address.
And following the rules, as Helme noted, the SAS certificate had to be revoked: “Because the data in the cert is now known to be wrong it must be revoked by the CA in question. There is no alternative.”
He noticed SAS’s EV certificate revocation in a Tweet by a Swedish researcher in mid-August and decided to explore how many other valid certificates were similarly flawed. So he ran a scan for EV certificates for organizations in the UK and found over 4,000 certificates with missing or incorrect details that were meant to have been checked during EV certificate validation processes, but weren’t until Helme flagged them with the CAs.
And his quick research didn’t canvas the rest of the world, including the US where there are EV certificates issued to companies that don’t even exist.
Regardless of quality issues with validation processes, Chrome's relegation of EV certificate indicators to a spot behind the lock icon suggests this aspect of the certificate business won't be around for much longer.