Secure Socket Layer (SSL) encryption is a standardized and relatively simple piece of software from a technical standpoint. Typically with SSL, people slap an inexpensive certificate onto a site, partially because the longer forms of validation are annoying and tedious. Also, a web developer does not want to have to involve the client in the process – necessary for the more extensive validation methods.
However, understanding the different levels of validation can be helpful to considering at what point an EV certificates makes sense for a site – where the tradeoff is in terms of increased sales on an ecommerce site, for instance, assuming the green bar indicator is effective.
Certificate authorities also offers the red bar indicator, free of charge for sites with expired certificates.
Domain Validation (DV) SSL
A domain validation (DV) SSL certificate is only validated via an email interaction. The certificate authority (CA) – the brand behind the particular cert (eg Thawte, Comodo, etc.) – sends out a verification email to one of the following addresses:
- An address at the domain you are securing, such as info@, administrator@, etc.
- The email address associated with the WHOIS record for the site (for example, firstname.lastname@example.org).
Domain validation, as its name suggests, only validates that you are the owner of the domain. It does not do any check on the business itself. Because company information is not checked, the certificate does not supply ownership information. DV certificates don’t have any identifying details in the “organization name” field of the certificate. This field usually either has the domain name listed again or says the business has not been identified.
Domain Validation SSL certificates are the cheapest certificate and only provide one of the two types of security: encryption to protect against theft of information in transit, but not confidence in the ownership of the site itself. One of the higher levels of validation ensures you are working with a business and that you know who you are giving your card information to, if you are making a payment, or who is receiving your personal credentials. In other words, DV certs provide encryption, but not trust/assurance or accountability (naming oneself as the entity officially behind the site).
Simple DV certificates do not give you a sense of who is behind the site, just that data won’t be intercepted. A higher quality EV certificate will say in the certificate Russian Mafia Internet Fraud Division, so you are confident you are sending all your sensitive details to the right organization, the people making payments to you on behalf of the Global Mega-Millions Lottery (in which you recently won $6 billion in one cash payment arriving at your door in four days).
The DV certificate is extremely quick – it’s usually automated. However, some members of the Certificate Authority/Browser Forum, or CAB Forum, would like to get rid of this level of validation. (The CAB Forum is worth checking out, by the way, regarding SSL guidelines. It’s the industry group that sets standardized parameters for the browsers and SSL issuers to uphold. They determine what the baseline requirements are for EV and DV, for instance.)
The Internet has always been a battle of speed and security. Getting rid of DV certification would be very simple, if the CAB Forum decided in favor of making the transition. They would just pull the plug on recognizing those certificates. Already, browsers do not recognize self-signed certificates as legitimate (though self-signed certs work fine for in-house purposes where the certs aren’t publicly facing).
It’s noteworthy that hacking that has occurred of various certificate authorities in recent years, with a number of fraudulent certificates issued to high-level sites, has all been via the use of domain validation certificates. Comodo Hacker, for instance, famously used DV cert theft to further a political agenda. He hacked several CAs, causing the collapse of DigiNotar, which was securing Dutch governmental sites.
DV certificates can cost as little as $10 to $50 for a standard cert. Sometimes they are even issued for free for trial testing periods.
Organization Validation (OV) SSL
Organization validation means that the domain is checked but also that the organization is checked to ensure the business is legitimate. The company information is then available in the SSL certificate, so that there is no message that the owner of the site is unidentified. It says, for example, “Unidentified Company Name,” if that is the name of your company (weird name, dude).
OV certificates offer the same level of encryption but a heightened amount of confidence in the business that is receiving the details. Whereas DV certificates, as described above, only give confidence that no one will grab the data while it’s passing between your machine and the site, OV certificates provide more confidence in the site itself. What’s the point of protecting from theft in transit, after all, if the owner of the site is just going to misuse your data anyway?
OV certificates are checked both for the official name of your company (Pete’s Emporium of Candles Shaped Like Pinecones and Acorns) and its location (Room 746, Ritz-Carlton Hotel, Manhattan).
Rather than simply using automated vetting via email, the certificate authority manually checks ownership for each cert. The three basic additional aspects of vetting that are in addition to DV certification are the following:
- Is the business real?
- Did the business buy the certificate (or have it bought on their behalf)?
- Is the person listed as requesting the cert authorized to receive certs on behalf of the business?
With OV and EV certificates, though many people don’t pay attention to ownership details, they have at least been vetted and are available for inspection prior to doing business or otherwise interacting with a website. Note that because the validation process is more stringent with an OV certificate, it can often take a few days to issue them. Again, much of what is popular about DV, by contrast, is their immediate issuance – typically within 10 minutes – though immediate issuance certainly does not agree with the concept of tight security.
OV certificates range in price but typically sell for $50 to $150. Many CAs and resellers don’t offer EV, so OV serves as the low-end option.
Extended Validation (EV) SSL
An extended validation certificate is the top-tier certificate. Extended Validation was the reason that the CAB Forum was organized in the first place. The CAB Forum wanted to find a way to make it more obvious to Internet users when a site could be trusted. Extended Validation, then, is designed so that any non-technical person viewing a browser can get an immediate sense who owns the site and whether it’s secure. The concept of these parameters was to enhance online consumer confidence through a standardized approach that all browsers and SSL companies could agree would work.
The information obtained by the Certificate Authority has to do both with both the Organization and the Organizational Contact. The validation process is more extensive than with the OV certificate. Often EV, because it is so extensive, is incredibly frustrating for customers. Many, however, believe that EV is worth it in increased sales due to the confidence from customers and sense of integrity that it inspires. EV, in other words, is used not just for its encryption but as a marketing tool to promote how much the business cares about those with whom it does business.
Extended Validation does not just show organization information in the certificate (OV). It actually shows it on the browser itself. If you look at IE or Firefox, for example, you’ll see the green address bar. Additionally, the name of the organization will toggle back and forth with the name of the certification authority (keep that in mind when choosing your brand, that you are choosing whether to have Go Daddy or Symantec toggling with your own company name). As another example, on an iPad or iPhone, it will show the name of your company in green with the lock symbol at the top of the screen.
You can sometimes use a DBA in the organization position as well – since it is so prominent, many companies want enhanced control of that language. Keep in mind, though, that parameters are very tight and that ultimately the CA itself cannot make those decisions. The industry board has strict guidelines for all its members.
Additionally, EV certificates are valuable for protection from mirror sites, used in phishing. The reason EV provides protection against phishing is that a site may be able to replicate the content of a webpage, but they will not be able to get the site address bar to turn green and populate the company name.
The idea behind EV is that as they become more prevalent, Internet users get used to checking whether the green bar is there before completing a transaction. EV has not yet become so widespread that it’s unusual for a site not to have one, but we can at least be aware what sites that we use often have EV certificates. If we see the green when we visit, we should see it every time we enter our information. If not, we’re potentially in a dangerous situation.
EV certificates are of particular use for high-profile sites. The types of sites listed by the CAB Forum for which EV is the most important are major finance and retail sites. However, smaller sites may find that they pay off in increased transactions. I think it makes sense that in terms of credibility, EV is much more valuable than it is for a large site. Amazon already has credibility. A small, less widely known site can easily promote its reputability with EV certification by a trusted name in security (Symantec, for example, has household status as a security name due to the Norton Anti-Virus line, so in that sense it can be used as a marketing tool beyond its technical purpose).
These certificates can cost anywhere from $100 to upwards of $1000.
Domain (DV), Organization (OV) and Extended (EV) Validation SSL certificates each offer different levels of security and credibility for your online business. Keep in mind as you decide that encryption is just one piece of SSL. The other piece is letting individuals visiting the site know that you are a legitimate business.
by Kent Roberts and Richard Norwood