I used to work for an SSL certificate company. While I was there, I always had a little difficulty explaining to customers why Extended Validation (EV) SSL and the green address bar that accompanies it might be worth the extra cost. This article attempts to distill the industry standard so we can understand it without the hype. After all, when we seek information online about what EV is and what it entails in terms of security and credibility, most of what we find is sales pitches from SSL companies. This article will represent my best effort to provide no-nonsense information as an alternative.
Now, just so you know our potential bias upfront, at Superb, we do sell SSL certificates. We offer three different types, each from a Symantec subsidiary: RapidSSL, GeoTrust QuickSSL Premium, and GeoTrust True BusinessID with EV. All three types of certificates are tied to the Equifax root certificate. We sell each of them well below the prices set by the vendors, but many of our customers choose the RapidSSL because it’s so inexpensive … and also probably because it’s not quite clear why EV might be a wise choice.
To get our information, I am reviewing the details about SSL certificates presented by the CA/Browser Forum (CA/B Forum), an industry board that originally defined EV and continues to dictate how it is vetted and its basic appearance on the Web. The board includes representatives from all the major CAs (certification authorities) as well as all the major browser companies (including Microsoft, Apple, Google, and Mozilla). Essentially, the forum offers an across-the-board point of connection for the heavy hitters in the Web browser and SSL worlds.
What looking at the CA/B Forum allows us to do is get beyond what even the most trusted companies have to say about EV. Symantec, for instance, performed EV SSL case studies with its high-end certificates, the VeriSign brand, which is now called Norton Secured. These studies are honestly the most convincing I’ve seen because they’re documented in fairly thorough white papers and were conducted (rather than internally) by outside entities, such as The Find.
Along with looking at the CA/B Forum, we will also look at perspectives from the Taxicab Forum. The Taxicab Forum, a group of cab drivers who get together to drink coffee, chain-smoke, and complain about marks, does not have a website and does not understand SSL certificates. However, its mission is similar (sort of) to the CA/B Forum: “to get marks securely and efficiently from point A to point B … or not.” That’s a little wishy-washy, guys.
What is SSL, For Real Though?
First, so we are all on the same page, let’s define exactly what we’re talking about: What is an SSL (secure socket layer) certificate or “cert” (and I’ll also get into why lower-end cert encryption can at times be less than ideal)? Well, for starters, it creates the lock symbol and converts all pages on which one is active from http to https. The CA/B Forum further describes SSL https://www.cabforum.org/faq.html as “a security protocol that operates between a browser and a Web site … [providing] confidentiality and data integrity by means of cryptographic techniques.”
Primarily, what an SSL certificate is standardly performing, as a piece of technology, is encryption via an accepted, standardized format. SSL certs from legitimate companies all operate on similar algorithms. The other function it serves is third-party vetting and basic site ownership information to create a standardized sense of trust for users of sites. Bear in mind that vetting ranges enormously for the different types of SSL validation – RapidSSL only verifies the domain, for instance, while the GeoTrust EV certificate verifies site ownership as well (and that verification can be extensive – well, that’s the name – as discussed below).
Finally, the integrity of the data is much less likely to be compromised when https is in place. Three ways in which this can happen include:
- ISP Tampering – Internet Service Providers are disallowed from changing anything that passes between a user and a site.
- DNS Security – Meddling with DNS, such as cache poisoning, becomes less likely if an SSL is in place.
- HTTP Security – Hacks to the http cache, such as http response splitting, are also prevented.
It makes sense that the SSL companies and browsers must act in concert. If the algorithm used by a company is determined to need improvement, the browsers will stop accepting it. Issues with algorithms can be a particular problem with the lower-end certificates, if history is any indication.
Mozilla, for instance, started disallowing older RapidSSL certificates on Firefox (showing a security error if they were left in place after a certain date) a couple years ago because it determined there was a security loophole in some of the older certificates. The RapidSSL algorithm had already been upgraded to meet modern security standards; but some outmoded, multiple-year certificates still remained on several thousand sites. RapidSSL notified all of its customers and partners, and the company reissued updated certificates for free – so it wasn’t a huge problem. However, this is a great example of how SSL firms and the browsers must work in tandem to allow for the highest possible standards for https-enabled pages.
Taxicab Forum Comment:
“EV? Uh, that’s an electric vehicle, right? Oh, it’s a certificate. Yeah, you have to always keep your certification posted at all times, or you can get in trouble with the law. Hm? Internet security? Why are you asking me about this? You owe me $38.50. I’ve had the meter running while we’ve been talking.” – Keith Jones, Chaplain, Taxicab Forum
The CA/B Forum & EV Standards
Let’s look now at the primary standards for EV and then at why it might make sense for your organization. EV issuance and implementation protocol was developed by the CA/B forum along with committees from the American Bar Association and the Canadian Institute of Chartered Accountants. EV SSL certificates can only be issued to private associations and companies and to government branches. In other words, these types of certificates are not available for individual or sole proprietor purchase because the organization itself will be vetted via cross-checking of public records; additionally, executive leadership of the business must sign off on issuance and confirm a number of the company’s details.
The Parameters for EV
The parameters through which an EV is validated is different depending on the type of entity that is requesting the certificate. Just to get a basic sense, let’s look at how a business is validated:
- The company requesting the EV cert must exist within the records of a registration agency (typically a state government in the case of the United States).
- Physical location of the business must be verifiable (in other words, it must have a street address).
- Executive leadership at the company must be validated (so in other words, not just the business itself but a real-live human must verify request of the SSL)
- The executive must verify details of the request (also referred to as the subscriber agreement).
- The business can use a DBA (“doing business as”) name, but only if that DBA is verifiable as a part of the business. ** Note that in my experience, this aspect causes the greatest frustration for companies; because of this, you cannot choose what to call yourself. It’s all about what is verifiable in public records: your official name therein.
- Neither the company nor the executive may exist physically (via physical location or residence) in a nation in which the CA cannot legally issue a certificate.
- Neither the company nor the individual may be on a list of organizations disapproved by the government where the CA is principally located.
Taxicab Forum Comment:
“Security, yeah I know about security. That’s why I have a mace: not the spray kind of mace, but the kind you swing at people. I use it for the same purposes as they did back in the Middle Ages: to break through armor. You’re safe though, because you’re not wearing armor. I like people. I’m just anti-armor, that’s all.” – Lou-Anne Richardson, VP of Security, Taxicab Forum
Why EV Might Make Sense: Objectives
OK, now let’s discuss objectives. Here is why EV was created by the CA/B members:
- Site & User Security – Like all SSL, the EV allows a safer Web experience via use of virtual keys. Encryption scrambles all information in transfer.
- Business Validation – Confirmation of the business through private and public channels allows site users to know the physical location and legal existence of the site business and administration.
- Fraud Reduction – Fraud can be prevented in several ways via an EV SSL certificate:
– Less likelihood of phishing occurring on enabled sites. Both the extensive validation procedures and presentation of the green address bar make it easier to know that the site is the legitimate one, not an impostor.
– Easier for law enforcement to fight phishing and other types of online fraud (theft or “borrowing” of a website’s identity, essentially) by providing clearer details of what is “real” and “unreal” on the Web.
Taxicab Forum Comment:
“Well, I think I sort of understand what you mean. Green means go, so the green thing is supposed to tell people that it’s safe to proceed on the website. Well, here’s the thing: yellow also means go. In fact, in certain cases, red means go. And every so often, I come across a blinking blue light, and I just blow right through it. One time I drove off the end of a bridge because of that, but I hit the bank on the other side and just kept driving.” – Mike Wright, Assistant to the Ombudsman, Taxicab Forum
It’s obvious with EV SSL certificates that they’re helpful to making a user feel more secure because of the green address bar. It’s a visual cue that even a child can understand. I will also say that the argument of, “No one knows what that is,” which I’ve heard a lot, seems off-base. The whole idea of it is that you don’t need to know what it is necessarily: the green indicator, business name, and name of the issuing CA in the browser makes it abundantly clear that the site is doing business in a responsible way, according to the browser and to the security company (eg, Symantec).
Hopefully, though, this article has gone beyond the basics and been helpful in establishing details that go beyond what you might have already read or heard about EV SSL certificates. Now you can decide for yourself whether or not they are worth the added expense for your business and for the general online security movement. And a huge thanks to Mike, Lou-Anne, and Keith for your expertise and for not hitting me with the mace or driving me into a river. Sorry for the $1.50 tip, Keith.