What Happened to the Green Address Bar on EV Certificates?

For business websites, this unique UI feature displayed their company’s name in a green box alongside the URL, typically accompanied by a padlock icon, serving as an immediate trust indicator to users that they were on the organisation’s legitimate website (chiefly helping to combat phishing attacks).  

Because of the higher cost of EV SSL Certificates relative to other types of SSL Certificates, the green address bar was also a visual indication of the legitimacy of your business and something webmasters were proud to have. 

However, modern browsers like Google Chrome and Safari no longer display the green address bar, regardless of what SSL Certificate is installed. In this article, we’ll explore the rise of the green address bar, why it disappeared from browsers, and the usefulness of EV SSL Certificates without it. 

What we understand as the green address bar took various forms depending on the browser and stage in its lifecycle. Broadly speaking, the green address bar was a visual UI feature activated by browsers for websites that had EV SSL Certificates. 

It displayed the organisation’s name alongside its website URL, typically with an accompanying padlock icon. In some iterations, the word “Secure” or the domain’s country would be displayed alongside the company name (AU, US, UK etc.) 

The choice of green was obvious, as we as humans associate the colour green with ‘good’ or ‘go ahead’.  

The idea was to give users a quick visual cue that the website was both highly secure and legitimate, having gone through the extra validation requirements to obtain an EV SSL Certificate (like confirming business registration records, physical presence, etc.)  

The development of the green address bar is closely tied to the rise of Extended Validation (EV) SSL Certificates. The first version of EV SSL was formalised in 2007 at the CA/Browser Forum, where representatives from Certificate Authorities (CAs), web browsers, and other PKI-enabled software and systems gather to ratify guidelines for SSL/TLS, network security protocols, and more.  

Microsoft was the first to pioneer the implementation of the green address bar for sites that adopted EV SSL Certificates, displaying the verified organisation’s name prominently next to the URL and colouring the address bar a shade of green.  

Other browsers soon followed, and major CAs like Thawte and Comodo began to issue EV SSL Certificates, encouraging their adoption by e-commerce businesses as well as banks and other financial institutions where it was believed the extra level of validation and trust would be more important for users. 

One of the key goals of EV SSL was to separate identity security from encryption security.  

While having an SSL Certificate installed on a website meant that users could trust that their data was protected during communication with the website, it did not necessarily mean the website itself was legitimate. The high level of authentication offered by EV SSL Certificates offered a solution, providing the physical security of SSL/TLS encryption while also reassuring users that they are dealing with a legitimate legal business entity. 

Thus, the green address bar developed out of a need to visually indicate this higher level of authentication and trust to users. Rather than a user manually investigating a website’s certificate details, the green address bar gave immediate assurance that they were in the right place. 

Of course, the main utility of this was to combat phishing attacks, wherein an attacker could set up an imitation of a company’s domain, install a cheap SSL certificate, and begin to collect valuable data from users before being caught and blacklisted. 

Additionally, the green address bar motivated websites to undergo the extended validation process, helping to create a more trustworthy and transparent Internet landscape. After all, no organisation wants to be left out of the ‘trusted websites’ club. 

The golden age of the green address bar was between 2010 and 2018, when it was a universal feature of all popular web browsers. However, this was not to last.

The decline and eventual disappearance of the green address bar can be primarily attributed to a series of studies that indicated:

Early on, the usability study from Jackson, Simon, Tan, and Barth (2007) found that the green address bar and other positive trust indicators were not effective because users “have to look for them” and “can also mislead users of a legitimate web site that has been hijacked by an attacker using web vulnerabilities such as cross-site scripting.” This means that if a site were compromised from within, the green address bar would lull users into a false sense of security.

Ultimately, the search industry turned against the green address bar because it was reasoned that it was either widely ignored or misunderstood by users + did not necessarily guarantee that their information would be used responsibly.

As a result, the green address bar was slowly chipped away in successive browser updates, with Safari being the first to remove it entirely in 2018. As of Chrome version 76, Google still featured company information in the address bar but without any green colouring. Eventually, Google announced that Chrome would remove all EV information from the address bar, citing the aforementioned studies as part of their reasoning.

The green address bar had a good run, becoming a ubiquitous element of the web experience for over a decade. However, it is unlikely that it will ever return. 

While the green address bar seemed like a good idea in theory, in practical use, it didn’t do what it was meant to. For example, (Thompson et al., 2019) demonstrated that 85% of users tested failed to identify a phishing attack by examining the URL. This correlated with other prior studies, which concluded that users largely do not use the URL address bar to determine if a website is fake or fraudulent. 

Today, positive trust indicators like the green address bar are almost entirely absent from web browsers. Because HTTPs encryption is a minimum expectation for all websites nowadays, browsers prefer to rely on warning users when a site does not have an SSL certificate rather than informing them when it does. And because phishing/spoofing attacks have become increasingly sophisticated over the years, it’s easy for positive UI signals to be turned against users, having the opposite of the intended effect. 

EV SSL Certificates still function the way they always have. The green address bar was only a visual cue for the benefit of users, who, as the studies have indicated, ultimately ignored it anyway. 

So, while having EV SSL on a website is less noticeable to most users, it’s still valuable for organisations that want the highest possible level of authentication behind their SSL/TLS implementation. Additionally, EV SSL is still recommended by security standards like PCI DSS and helps organisations comply with HIPAA and GDPR due to its rigorous identity verification process. 

While some bemoan the loss of the green address bar, most internet users failed to notice or comment on its absence. This fact only reinforces the consensus that, despite being well-intentioned, this UI feature failed to achieve the desired effect. 

Ultimately, the green address bar will be remembered as an aesthetic relic rather than a critical functionality for safe web browsing.