Tag Archives: SSL

Using CloudFlare to protect and speed up your website & brain


Wow! If you run a forum you need Cloudflare - ...
Wow! If you run a forum you need Cloudflare - it cut my webserver CPU usage in half!

Speed: it’s crucial online. The rate at which a page loads is important both to keep customers happy and to keep them from leaving your site. However, your site’s speed is not just about UX (user experience) but about search engine rankings. That latter factor is becoming more and more important as the Google algorithm weighs it more heavily. Tumblr’s servers, for example, do not meet Google’s standards for speed.

Obviously the speed at which your site populates content depends on a mixture of diverse factors. For example, how many images do you have on your page? Are they compressed? What type of hardware are using (server, etc.)? Are there a lot of WordPress plugins on your site? Simple sites running off of great equipment load very quickly, and complex sites on clunky equipment don’t. However, there is a cheat.

CloudFlare is that cheat. It’s free. It makes your site faster. It makes it more difficult for spammers to harass you. It strengthens the security of your site. I know… It sounds implausible. In this three-part series, we will look at CloudFlare from a variety of different angles.
Continue reading Using CloudFlare to protect and speed up your website & brain

How to improve your ecommerce server security & love yourself



Server security is one of the first things we should consider when we get ready to go into online business, and it’s a factor of the market that should be regularly reviewed. PCI compliance is one thing, but it’s a little obtuse and complicated when we’re taking initial steps to “harden” (enhance the protections of) the server.

Also we must love ourselves. Sometimes everything looks bright and sunny. Sometimes, it looks blue (that’s not a happy color). Sometimes it looks dreary and gray. When we start seeing colors that make us want to cry, we must grab all of our stuffed animals, line them up in a row, and have them sing the Hallelujah Chorus to us (don’t worry, all stuffed animals know it by heart).

We’ll look at a number of different issues in this series: SSL, perimeter security such as firewalls, passwords, site backups, policies, authorizations, etc.. Our general overview will cover the first two parts, and then the final part will focus specifically on passwords – the simplest form of protection but also the simplest, in some ways, to penetrate.
Continue reading How to improve your ecommerce server security & love yourself

How to Install the Green Address Bar

With previous articles we explored the certification behind the website to get your website that trusted green web address bar. Whilst some people take some convincing to install this security certification onto their website, I think it actually improves your brand image to see a trusted green address bar.

EV SSL Certificates are Worth their Wait

EV SSL Certificates are Worth their Wait | How to Grow Your Business Online | Scoop.it
From sslprotocolinfo.wordpress.com – Yesterday

Customers are learning the importance of web security and validation in e-Commerce SSL Certificates go beyond encryption technology for businesses that participate in e-commerce…

Juliana Payson‘s insight:

Because of the more stringent requirement, it is impossible to issue these certificates in minutes (as can be done for just a Domain Validation Certificate), but with an EV SSL Certificate a business gets the green address bar. This article goes on to describe how the stringent validation process is put in place, in order to provide the user a guarantee of genuine service and business identity.

How to Choose the Right and Best SSL Certificate Provider – 10 Easy Tips from TheSSLStore™

How to Choose the Right and Best SSL Certificate Provider - 10 Easy Tips from TheSSLStore™ | How to Grow Your Business Online | Scoop.it
From edusslblog.wordpress.com – 1 week ago

With the number of online scams and frauds multiplying day by day, the need for SSL certificates to validate the credibility of a website is on rise. And most of the eBusiness owners are well aware…

Juliana Payson‘s insight:

A quality SSL certificate with the strongest encryption technology to build trust, boost confidence and increase conversions does not come at the cheapest price. As with taking the care to choose your webhost, TheSSLStore go into an indepth checklist of why “Googling” and trusting the relevent search to “best” and “cheap” SSL certificates should always come with further diligence.


Install an SSL Certificate on a Domain

Install an SSL Certificate on a Domain | How to Grow Your Business Online | Scoop.it

From docs.cpanel.net

You can use the Install an SSL Certificate on a Domain feature to install a certificate on your domain. Before you can use this feature, you must have a certificate already created or purchased, and an activation key…

Juliana Payson‘s insight:

There are 3 ways to install a certificate on a domain:

  • You can use the Browse Certificates button to retrieve information,
  • You can enter the domain and have the interface fill in the fields automatically,
  • Or you can choose an IP address and have the interface fill in

Here is cPanel’s step by step documentation to help you install your SSL certification through your Web Hosting Management Panel.

– Juliana

A No-Nonsense Guide to EV (“Green Bar”) SSL … Plus Some Jokes


Cryptographically secure pseudorandom number g...

I used to work for an SSL certificate company. While I was there, I always had a little difficulty explaining to customers why Extended Validation (EV) SSL and the green address bar that accompanies it might be worth the extra cost. This article attempts to distill the industry standard so we can understand it without the hype. After all, when we seek information online about what EV is and what it entails in terms of security and credibility, most of what we find is sales pitches from SSL companies. This article will represent my best effort to provide no-nonsense information as an alternative.

Now, just so you know our potential bias upfront, at Superb, we do sell SSL certificates. We offer three different types, each from a Symantec subsidiary: RapidSSL, GeoTrust QuickSSL Premium, and GeoTrust True BusinessID with EV. All three types of certificates are tied to the Equifax root certificate. We sell each of them well below the prices set by the vendors, but many of our customers choose the RapidSSL because it’s so inexpensive … and also probably because it’s not quite clear why EV might be a wise choice.

To get our information, I am reviewing the details about SSL certificates presented by the CA/Browser Forum (CA/B Forum), an industry board that originally defined EV and continues to dictate how it is vetted and its basic appearance on the Web. The board includes representatives from all the major CAs (certification authorities) as well as all the major browser companies (including Microsoft, Apple, Google, and Mozilla). Essentially, the forum offers an across-the-board point of connection for the heavy hitters in the Web browser and SSL worlds.

What looking at the CA/B Forum allows us to do is get beyond what even the most trusted companies have to say about EV. Symantec, for instance, performed EV SSL case studies with its high-end certificates, the VeriSign brand, which is now called Norton Secured. These studies are honestly the most convincing I’ve seen because they’re documented in fairly thorough white papers and were conducted (rather than internally) by outside entities, such as The Find.

Along with looking at the CA/B Forum, we will also look at perspectives from the Taxicab Forum. The Taxicab Forum, a group of cab drivers who get together to drink coffee, chain-smoke, and complain about marks, does not have a website and does not understand SSL certificates. However, its mission is similar (sort of) to the CA/B Forum: “to get marks securely and efficiently from point A to point B … or not.” That’s a little wishy-washy, guys.

What is SSL, For Real Though?

First, so we are all on the same page, let’s define exactly what we’re talking about: What is an SSL (secure socket layer) certificate or “cert” (and I’ll also get into why lower-end cert encryption can at times be less than ideal)?  Well, for starters, it creates the lock symbol and converts all pages on which one is active from http to https. The CA/B Forum further describes SSL https://www.cabforum.org/faq.html as “a security protocol that operates between a browser and a Web site … [providing] confidentiality and data integrity by means of cryptographic techniques.”

Primarily, what an SSL certificate is standardly performing, as a piece of technology, is encryption via an accepted, standardized format. SSL certs from legitimate companies all operate on similar algorithms. The other function it serves is third-party vetting and basic site ownership information to create a standardized sense of trust for users of sites. Bear in mind that vetting ranges enormously for the different types of SSL validation – RapidSSL only verifies the domain, for instance, while the GeoTrust EV certificate verifies site ownership as well (and that verification can be extensive – well, that’s the name – as discussed below).

Finally, the integrity of the data is much less likely to be compromised when https is in place. Three ways in which this can happen include:

  1. ISP Tampering – Internet Service Providers are disallowed from changing anything that passes between a user and a site.
  2. DNS Security – Meddling with DNS, such as cache poisoning, becomes less likely if an SSL is in place.
  3. HTTP Security – Hacks to the http cache, such as http response splitting, are also prevented.

It makes sense that the SSL companies and browsers must act in concert. If the algorithm used by a company is determined to need improvement, the browsers will stop accepting it. Issues with algorithms can be a particular problem with the lower-end certificates, if history is any indication.

Mozilla, for instance, started disallowing older RapidSSL certificates on Firefox (showing a security error if they were left in place after a certain date) a couple years ago because it determined there was a security loophole in some of the older certificates. The RapidSSL algorithm had already been upgraded to meet modern security standards; but some outmoded, multiple-year certificates still remained on several thousand sites. RapidSSL notified all of its customers and partners, and the company reissued updated certificates for free – so it wasn’t a huge problem. However, this is a great example of how SSL firms and the browsers must work in tandem to allow for the highest possible standards for https-enabled pages.

Taxicab Forum Comment:

“EV? Uh, that’s an electric vehicle, right? Oh, it’s a certificate. Yeah, you have to always keep your certification posted at all times, or you can get in trouble with the law. Hm? Internet security? Why are you asking me about this? You owe me $38.50. I’ve had the meter running while we’ve been talking.” – Keith Jones, Chaplain, Taxicab Forum

The CA/B Forum & EV Standards

Let’s look now at the primary standards for EV and then at why it might make sense for your organization. EV issuance and implementation protocol was developed by the CA/B forum along with committees from the American Bar Association and the Canadian Institute of Chartered Accountants. EV SSL certificates can only be issued to private associations and companies and to government branches. In other words, these types of certificates are not available for individual or sole proprietor purchase because the organization itself will be vetted via cross-checking of public records; additionally, executive leadership of the business must sign off on issuance and confirm a number of the company’s details.

The Parameters for EV

The parameters through which an EV is validated is different depending on the type of entity that is requesting the certificate. Just to get a basic sense, let’s look at how a business is validated:

  1. The company requesting the EV cert must exist within the records of a registration agency (typically a state government in the case of the United States).
  2. Physical location of the business must be verifiable (in other words, it must have a street address).
  3. Executive leadership at the company must be validated (so in other words, not just the business itself but a real-live human must verify request of the SSL)
  4. The executive must verify details of the request (also referred to as the subscriber agreement).
  5. The business can use a DBA (“doing business as”) name, but only if that DBA is verifiable as a part of the business. ** Note that in my experience, this aspect causes the greatest frustration for companies; because of this, you cannot choose what to call yourself. It’s all about what is verifiable in public records: your official name therein.
  6. Neither the company nor the executive may exist physically (via physical location or residence) in a nation in which the CA cannot legally issue a certificate.
  7. Neither the company nor the individual may be on a list of organizations disapproved by the government where the CA is principally located.

Taxicab Forum Comment:

“Security, yeah I know about security. That’s why I have a mace: not the spray kind of mace, but the kind you swing at people. I use it for the same purposes as they did back in the Middle Ages: to break through armor. You’re safe though, because you’re not wearing armor. I like people. I’m just anti-armor, that’s all.” – Lou-Anne Richardson, VP of Security, Taxicab Forum

Why EV Might Make Sense: Objectives

OK, now let’s discuss objectives. Here is why EV was created by the CA/B members:

  1. Site & User Security – Like all SSL, the EV allows a safer Web experience via use of virtual keys. Encryption scrambles all information in transfer.
  2. Business Validation – Confirmation of the business through private and public channels allows site users to know the physical location and legal existence of the site business and administration.
  3. Fraud Reduction – Fraud can be prevented in several ways via an EV SSL certificate:

– Less likelihood of phishing occurring on enabled sites. Both the extensive validation procedures and presentation of the green address bar make it easier to know that the site is the legitimate one, not an impostor.

– Easier for law enforcement to fight phishing and other types of online fraud (theft or “borrowing” of a website’s identity, essentially) by providing clearer details of what is “real” and “unreal” on the Web.

Taxicab Forum Comment:

“Well, I think I sort of understand what you mean. Green means go, so the green thing is supposed to tell people that it’s safe to proceed on the website. Well, here’s the thing: yellow also means go. In fact, in certain cases, red means go. And every so often, I come across a blinking blue light, and I just blow right through it. One time I drove off the end of a bridge because of that, but I hit the bank on the other side and just kept driving.” – Mike Wright, Assistant to the Ombudsman, Taxicab Forum


It’s obvious with EV SSL certificates that they’re helpful to making a user feel more secure because of the green address bar. It’s a visual cue that even a child can understand. I will also say that the argument of, “No one knows what that is,” which I’ve heard a lot, seems off-base. The whole idea of it is that you don’t need to know what it is necessarily: the green indicator, business name, and name of the issuing CA in the browser makes it abundantly clear that the site is doing business in a responsible way, according to the browser and to the security company (eg, Symantec).

Hopefully, though, this article has gone beyond the basics and been helpful in establishing details that go beyond what you might have already read or heard about EV SSL certificates. Now you can decide for yourself whether or not they are worth the added expense for your business and for the general online security movement. And a huge thanks to Mike, Lou-Anne, and Keith for your expertise and for not hitting me with the mace or driving me into a river. Sorry for the $1.50 tip, Keith.

by Kent Roberts and Richard Norwood

The Case Against FTP & for SFTP


Secure FTP (software)

FTP (File Transfer Protocol) clients are standard parts of many web hosting packages. We even have them in ours. Host services include FTP because people are looking for it – but it’s not necessarily the best tool to use for your site. The reason it’s a questionable protocol is simple, as is switching to a replacement solution, SFTP (Secure File Transfer Protocol). All this will be discussed below.

For this article, I looked at various pieces from around the web, including “Why You Need to Stop Using FTP” from JBDFu.com, “Security Issues in FTP” from raditha.com, “FTP, SFTP and FTP/S” from InformIT, and “Backdoor (computing)” from Wikipedia.

FTP is not all bad. It is built on TCP, so it checks for errors and monitors for integrity. However, the basic problem with FTP is that it does not have the same security as SFTP does. We spoke similarly, in a recent blog post, about SSH (Secure Shell), another way to interact between machines securely. It’s common sense that choosing less secure methods to communicate and transmit data is suspect … well, depending what you’re doing.

FTP has good company in sending data out in the open. Other protocols that send unencrypted data are POP, IMAP, and Jabber. All things equal, though, secured is better than unsecured, right? After all, regardless if or how someone might use your data, isn’t there a creepiness factor about someone looking at your stuff?

Speaking of your “stuff,” maybe this is a good way to put it: Sure, leave your windows and blinds open sometimes if you like. But when the real gets real, when you’re having a private conversation with your divorce lawyer or making babies with your wife (hopefully in the reverse order) and all your “stuff” is out in the open, secure the perimeter. Simply put, FTP is peeping-Tom friendly, and SFTP is not.

What FTP Has in Common with Telnet

OK, the JBDFu.com gives a pretty clear understanding of why straight-up FTP is not preferable. It was invented in the early 70s. Oh, the 70s. They were a blissful time, when all we had to worry about was … our clothes and how we were painting our walls and designing our homes and buildings. We didn’t have any time to think there might be kill-bots trying to steal all our information and our souls if we freely streamed data between two points. Passwords, anyone? Who gives a s%$&, nobody wants it.

OK, so quick review of Telnet entitled

Telnet: A Magical Program that You are Bound to Love Forever!! Hurray for Telnet!!

OK well, I don’t know what the point of the title is, but Telnet … [sound of my throat clearing] Telnet is thirty years old. It’s outdated. It has the same unsecured problem that FTP does. Let’s talk about the unsecured issue within FTP in further detail.

Enter SSH

OK, so Telnet, mid 70s, no encryption. In the mid-1990s, people started switching over to SSH (Secure Shell). In other words, Telnet was recognized as being an inferior technology, and we moved on. Somehow FTP has stuck. It’s an established standard. There are tutorials all over the place telling us to use an FTP client to do such-and-such. Ideally, we don’t want to transfer or access files with FTP, though, because it has the same issues as Telnet re: security.

“Use an FTP client to do this.” “Use an FTP client to do that.” Everybody’s saying it to us all the time. It’s not an accident. You know why? Do you? Really, you do? I doubt you do. Are you sure? You think you know why? You do? Hm, we seem to be talking in circles. Lean your head toward me so I can whisper it to you in case a military surveillance aircraft flies by. “I often use this technique to allow me to whisper to people. It’s a really disgusting habit.” You heard it here first.

What’s wrong with FTP? It means well.

Basic issues with FTP:

  • Passwords 4 Free: It doesn’t encrypt passwords during transmission. What’s the point of a password if it’s not encrypted for transit? Seems kinda pointless. Like you lock the door and then leave your key under the mat. The protocol only allows the server to process login details as plain text. Partially due to this, the root account of a server typically is not usable for FTP or Telnet (which, again, has the same issues).
  • Data Free-for-All: Data transmission is not encrypted. Now, this does not necessarily matter, but be aware at all times that it’s easy for people to see what you’re doing. FTP should feel like a public rather than a private place. Also, since FTP is often used to upload files to web servers, getting into your account isn’t just a matter of reading it, as when someone gets into your email account. Access means they can change your website. Nobody wants “Bobby Lou Was Here” scrawled across the top of their website (except for Bobby Lou, that is).
  • Open the Hack Door: FTP servers that are publicly available have had hackers change the code and create backdoors (which are intrusions that allow an outsider to enter a server unnoticed and often involve implantation of software for spying purposes). Backdoors are often not found for lengthy periods of time – years sometimes.
  • We Have Bug Problems: Some of the more commonly used FTP servers have reputations for being buggy.
  • Um … This is Hard: An additional port is needed to perform transfers. This structure makes port forwarding and firewall admin more difficult, and those two components are crucial to increasing the speed so FTP isn’t sluggish.
  • Don’t Destroy the Evidence: Login details are stored in files on the client’s hard drive, unencrypted, in plain text. In other words, login details aren’t just unsecure during transit. They’re part of a paper trail that is automatically backed up on your computer.

Example Scenario

So as described above, everything passes through via FTP as clear text. That includes all the login credentials, and that’s the most glaring issue. However, downloading of files presents additional problems. You can’t ever really know if an ecommerce site is safe with your information, for example.

So, picture this, my friend: You go in to buy a product on a small website, such as a large blue vase with an image of naked men wrestling (which you’ll tell your wife you purchased purely for aesthetic purposes). They have a high-quality SSL certificate, maybe even an EV (“extended validation,” green bar) one. You think you’re fine. Input your credit card details. OK transfer successful, via SSL. You’re good. Then an administrator for the site pulls all the billing info from the site using an FTP client.

In other words, FTP can cause problems even when someone has safely transmitted their data to you. It’s not just about the client’s card information. It represents the potential for holes in your system. Swiss cheese is delicious, but I don’t trust it either.

Alternatives to FTP: Following Protocols

OK so again, FTP is not without its merits but it does not have the security we want for our passwords and much of the data we upload and download onto our website or network. Here are a few alternatives:

FTP/S: This is not SFTP. It provides secure authentication (integrity re: login credentials) and can also secure data transfer, both via SSL encryption. This protocol is not very popular because, as its name kind of suggests, it involves taking FTP and adding an SSL to the equation. In that sense, FTP is to FTP/S as HTTP is to HTTPS, loosely speaking.

You need an SSL certificate, which means you either have to create one yourself and get it set up correctly or buy one to use. It’s just a little annoying and can bear a small expense. It’s also not as easy to set up as some of the other methods are.

SFTP: OK, so let’s look at our winner. SFTP is probably the best alternative to FTP for four reasons.

  1. Secure Shell foundation: SFTP can be tied – optionally – into SSH, which is widely used and trusted for data encryption and transmission.
  2. Yes, it is a popularity contest: Because SFTP is popular, it’s easy to find free software that’s compatible with your OS.
  3. No sweat: Easy to operate and maintain. Typically you can have an SSH server  double as an SFTP server. SSH installation is quick too.
  4. Use of keys: With keys, everything is automated. The whole interaction is encrypted from beginning to end.

SCP: SCP, also known as Secure Copy, is similar in some ways to SFTP: it allows secure copying/transferring of files. SFTP can use SSH, but it is not reliant on that protocol; SCP, however, is reliant on and tied to SSH. SCP can be used for a number of different functions, including system tasks. SCP is more of a security concern – specifically because of its capabilities. The safest way to transfer files, then, is SFTP. Working with shell accounts, however, can be accomplished with either SFTP or SCP.

TP: Toilet paper is typically not recommended for secure connections. It should be kept in the bathroom where it belongs. Toilet paper should not be jammed into a server. It should not be turned into digital software and used to wipe a backdoor. One reason TP does not work well as a secure file-transfer protocol is that it is made out of tissue rather than code, so it doesn’t contain any encryption. Also, sometimes you run out. While you’re driving to the store to get more, you’ve opened the window for malicious entry.

Summary & Conclusion

So, SFTP: Think about it people. Make it happen. Remember, even if the particular data or files you’re working with at a given time are not sensitive, your password itself can easily be stolen using FTP. That means it’s never secure for sensitive situations. If you have any further thoughts or advice related to this, please comment below.

by Kent Roberts and Richard Norwood

Choosing an SSL Certificate – Types of Validation



Secure Socket Layer (SSL) encryption is a standardized and relatively simple piece of software from a technical standpoint. Typically with SSL, people slap an inexpensive certificate onto a site, partially because the longer forms of validation are annoying and tedious. Also, a web developer does not want to have to involve the client in the process – necessary for the more extensive validation methods.

However, understanding the different levels of validation can be helpful to considering at what point an EV certificates makes sense for a site – where the tradeoff is in terms of increased sales on an ecommerce site, for instance, assuming the green bar indicator is effective.

Certificate authorities also offers the red bar indicator, free of charge for sites with expired certificates.

Domain Validation (DV) SSL

A domain validation (DV) SSL certificate is only validated via an email interaction. The certificate authority (CA) – the brand behind the particular cert (eg Thawte, Comodo, etc.) – sends out a verification email to one of the following addresses:

  • An address at the domain you are securing, such as info@, administrator@, etc.
  • The email address associated with the WHOIS record for the site (for example, longerversionofemailaddressforusewithwhois@thenaughtiestmailboxintheuniverse.xxx).

Domain validation, as its name suggests, only validates that you are the owner of the domain. It does not do any check on the business itself. Because company information is not checked, the certificate does not supply ownership information. DV certificates don’t have any identifying details in the “organization name” field of the certificate. This field usually either has the domain name listed again or says the business has not been identified.

Domain Validation SSL certificates are the cheapest certificate and only provide one of the two types of security: encryption to protect against theft of information in transit, but not confidence in the ownership of the site itself. One of the higher levels of validation ensures you are working with a business and that you know who you are giving your card information to, if you are making a payment, or who is receiving your personal credentials. In other words, DV certs provide encryption, but not trust/assurance or accountability (naming oneself as the entity officially behind the site).

Simple DV certificates do not give you a sense of who is behind the site, just that data won’t be intercepted. A higher quality EV certificate will say in the certificate Russian Mafia Internet Fraud Division, so you are confident you are sending all your sensitive details to the right organization, the people making payments to you on behalf of the Global Mega-Millions Lottery (in which you recently won $6 billion in one cash payment arriving at your door in four days).

The DV certificate is extremely quick – it’s usually automated. However, some members of the Certificate Authority/Browser Forum, or CAB Forum, would like to get rid of this level of validation. (The CAB Forum is worth checking out, by the way, regarding SSL guidelines. It’s the industry group that sets standardized parameters for the browsers and SSL issuers to uphold. They determine what the baseline requirements are for EV and DV, for instance.)

The Internet has always been a battle of speed and security. Getting rid of DV certification would be very simple, if the CAB Forum decided in favor of making the transition. They would just pull the plug on recognizing those certificates. Already, browsers do not recognize self-signed certificates as legitimate (though self-signed certs work fine for in-house purposes where the certs aren’t publicly facing).

It’s noteworthy that hacking that has occurred of various certificate authorities in recent years, with a number of fraudulent certificates issued to high-level sites, has all been via the use of domain validation certificates. Comodo Hacker, for instance, famously used DV cert theft to further a political agenda. He hacked several CAs, causing the collapse of DigiNotar, which was securing Dutch governmental sites.

DV certificates can cost as little as $10 to $50 for a standard cert. Sometimes they are even issued for free for trial testing periods.

Organization Validation (OV) SSL

Organization validation means that the domain is checked but also that the organization is checked to ensure the business is legitimate. The company information is then available in the SSL certificate, so that there is no message that the owner of the site is unidentified. It says, for example, “Unidentified Company Name,” if that is the name of your company (weird name, dude).

OV certificates offer the same level of encryption but a heightened amount of confidence in the business that is receiving the details. Whereas DV certificates, as described above, only give confidence that no one will grab the data while it’s passing between your machine and the site, OV certificates provide more confidence in the site itself. What’s the point of protecting from theft in transit, after all, if the owner of the site is just going to misuse your data anyway?

OV certificates are checked both for the official name of your company (Pete’s Emporium of Candles Shaped Like Pinecones and Acorns) and its location (Room 746, Ritz-Carlton Hotel, Manhattan).

Rather than simply using automated vetting via email, the certificate authority manually checks ownership for each cert. The three basic additional aspects of vetting that are in addition to DV certification are the following:

  1. Is the business real?
  2. Did the business buy the certificate (or have it bought on their behalf)?
  3. Is the person listed as requesting the cert authorized to receive certs on behalf of the business?

With OV and EV certificates, though many people don’t pay attention to ownership details, they have at least been vetted and are available for inspection prior to doing business or otherwise interacting with a website. Note that because the validation process is more stringent with an OV certificate, it can often take a few days to issue them. Again, much of what is popular about DV, by contrast, is their immediate issuance – typically within 10 minutes – though immediate issuance certainly does not agree with the concept of tight security.

OV certificates range in price but typically sell for $50 to $150. Many CAs and resellers don’t offer EV, so OV serves as the low-end option.

Extended Validation (EV) SSL

An extended validation certificate is the top-tier certificate. Extended Validation was the reason that the CAB Forum was organized in the first place. The CAB Forum wanted to find a way to make it more obvious to Internet users when a site could be trusted. Extended Validation, then, is designed so that any non-technical person viewing a browser can get an immediate sense who owns the site and whether it’s secure. The concept of these parameters was to enhance online consumer confidence through a standardized approach that all browsers and SSL companies could agree would work.

The information obtained by the Certificate Authority has to do both with both the Organization and the Organizational Contact. The validation process is more extensive than with the OV certificate. Often EV, because it is so extensive, is incredibly frustrating for customers. Many, however, believe that EV is worth it in increased sales due to the confidence from customers and sense of integrity that it inspires. EV, in other words, is used not just for its encryption but as a marketing tool to promote how much the business cares about those with whom it does business.

Extended Validation does not just show organization information in the certificate (OV). It actually shows it on the browser itself. If you look at IE or Firefox, for example, you’ll see the green address bar. Additionally, the name of the organization will toggle back and forth with the name of the certification authority (keep that in mind when choosing your brand, that you are choosing whether to have Go Daddy or Symantec toggling with your own company name). As another example, on an iPad or iPhone, it will show the name of your company in green with the lock symbol at the top of the screen.

You can sometimes use a DBA in the organization position as well – since it is so prominent, many companies want enhanced control of that language. Keep in mind, though, that parameters are very tight and that ultimately the CA itself cannot make those decisions. The industry board has strict guidelines for all its members.

Additionally, EV certificates are valuable for protection from mirror sites, used in phishing. The reason EV provides protection against phishing is that a site may be able to replicate the content of a webpage, but they will not be able to get the site address bar to turn green and populate the company name.

The idea behind EV is that as they become more prevalent, Internet users get used to checking whether the green bar is there before completing a transaction. EV has not yet become so widespread that it’s unusual for a site not to have one, but we can at least be aware what sites that we use often have EV certificates. If we see the green when we visit, we should see it every time we enter our information. If not, we’re potentially in a dangerous situation.

EV certificates are of particular use for high-profile sites. The types of sites listed by the CAB Forum for which EV is the most important are major finance and retail sites. However, smaller sites may find that they pay off in increased transactions. I think it makes sense that in terms of credibility, EV is much more valuable than it is for a large site. Amazon already has credibility. A small, less widely known site can easily promote its reputability with EV certification by a trusted name in security (Symantec, for example, has household status as a security name due to the Norton Anti-Virus line, so in that sense it can be used as a marketing tool beyond its technical purpose).

These certificates can cost anywhere from $100 to upwards of $1000.


Domain (DV), Organization (OV) and Extended (EV) Validation SSL certificates each offer different levels of security and credibility for your online business. Keep in mind as you decide that encryption is just one piece of SSL. The other piece is letting individuals visiting the site know that you are a legitimate business.

by Kent Roberts and Richard Norwood