Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Website Security Solutions

How Google Chrome supports EV SSL

Created: 02 Sep 2008 • Updated: 18 Dec 2012 • 8 comments
Tim Callan's picture
0 0 Votes
Login to vote

If you've been camping in the mountains or something you may not have heard that Google will be releasing its own browser, Chrome.

As you might expect, I was instantly curious about how Chrome works with SSL. These are quick and dirty preliminary results, but here's what I have for you today.

Chrome appears to work with SSL in the expected manner. When SSL is in place, the address bar still displays https, and a lock icon appears next to the address bar.

Chrome also recognizes Extended Validation SSL Certificates. The beta recognizes the VeriSign EV root, at the very least. Google does display the organization name to the right of the URL and highlights that name and the https indicator in green. It's a very consistent adaption of the IE7/IE8 EV experience into the light interface to which Chrome aspires.

I'm getting confirmation on this fact, but I think you have to enable revocation checking in the beta before Chrome will detect EV certs as such. The revocation checking requirement is a good one. I hope that in later betas Google will change the default to on, just as Microsoft did with Internet Explorer 7. If you need to turn on revocation checking, this Google tech note explains how.

I haven't had a chance to check out what Chrome does with self-signed or other untrusted roots or with certificate errors such as domain mismatches and expired certs. My hope is that the browser will handle all these scenarios properly, and if it doesn't in this beta that it will shortly. I'll look into these behaviors and let you know what I find out.

Comments 8 CommentsJump to latest comment

media kingdom's picture

despite the rumors, i'm finding Chrome's speed to be inconsistent; it seems to alternate between going lightning fast and then hanging for no apparent reason...

-1
Login to vote
sniffdoz's picture

Hi,

I have tested google Chrome in SSLv3 with client authentication ?

Because, he don't work !!! Not possible tu use google chrome to make authentication with certificate client.

Stupid !

Bye
Sniffdoz

+4
Login to vote
Paul's picture

Chrome shows a full red screen with an error message, https in the addressbar is crossed out with a red line.

Disappointing is that the first button on this error page is to go one to the unsecured page.

-1
Login to vote
Tim Callan's picture

Well, I'm not sure I fully understand any of these three comments, but clearly Chrome and SSL are motivating passionate response. Let it suffice to say that in my very limited usage Chrome has interacted with SSL correctly. It may be that other people are finding bugs, and in an early beta that wouldn't surprise me.

+1
Login to vote
Roger Lai's picture

pTim,

Where are the screen shots? Sure would be nice to see what it looks like without having to do the test myself.

Roger

-3
Login to vote
JULIAN's picture

I thought one of the important aspects of EV was the strong visual distinction between an EV secured site and standard SSL.
Recent firefox & IE have an obvious green indicator over all or part of the address.
Chrome makes the distinction only by displaying the organization name - which is not a really strong visual cue.
I'm sure less companies would be willing to pay high EV prices if most users will never notice.
I can only assume this is a deliberate move by google.

+5
Login to vote
Andy Gambles's picture

Interesting that the GlobalSign EV does not seem to function in Chrome (as yet)

http://www.andygambles.com/globalsign-ev-not-in-ch...

+3
Login to vote
Andy Gambles's picture

I agree with Julian. I hope Google / Cromium development make the green more obvious so to better follow the standards of the existing browsers.

-1
Login to vote