In late June, the Certificate Authority Security Council (CASC), a CA advocacy group made up of Comodo, Entrust Datacard, GlobalSign, GoDaddy and Trustwave, announced the London Protocol. The purpose of this protocol ostensibly is to minimize phishing activity on “identity websites,” using OV and EV certificates, which would be “required to verify the organization information using verifiable documents, such as a government-issued business license, providing an additional layer of validation to the process,” according to the Council’s press release.
On the face of it, the London Protocol sounds great. I’ve read several news articles commenting on the topic, and David Bisson’s blog post, What Is an EV SSL Certificate, and Why Should You Get One? offered several good reasons why, at least in some instances, getting an EV certificate is a good idea, particularly for large retailers, financial institutions and technology brands, among others. These large organizations could point to these paid certificates for a two-year period (as of this writing) as a bulwark against fly-by-night phishing lookalike sites.
There have been rumblings, however, about whether EV certificates really are that much of an advantage—and may even prove to be a disadvantage in the long run. Security researcher Troy Hunt, creator of the well-known Have I Been Pwned website (which you may notice uses an EV certificate—he discusses the arduous process of getting one in this post) tweeted on August 29 that “EV is going, going...” And fellow researcher Scott Helme blogged recently that several large websites, including shutterstock.com and target.com, have quit using EV certificates, suggesting that they have become irrelevant and even counterproductive.
Given the (relative) controversy over EV’s value and ultimately, its future, I decided to take a quick look at both sides of the EV certificate debate and let you, the reader, decide—or at least further the conversation.
I follow good security hygiene. I don’t click on email links, even from people I know. I check the details of a sender to make sure their email hasn’t been spoofed if I have the least question about its validity. I’ve used 1Password religiously for almost 10 years. I have even trained my mom to call me whenever she gets peculiar emails requesting her login information or any other personal data—and my answer always is: “Delete the email. Good catch!” or something like that.
But I never think to check websites for EV certificates. In fact, I didn’t notice the difference between a website using an EV certificate (which would show a green padlock and the name of the entity) and a regular certificate until I started working at Venafi.
Apparently, I’m not alone, even among techies. In a post discussing the relative value of an EV certificate, Hunt embeds several tweets from several tech people who were not cognizant of the difference between DV and EV certificates until they read a Twitter poll from Hunt about the topic.
And Google, in its decision to phase out special indicators of EV certificates starting with Chrome 68, seems to reflect this truth. In a July blog post, Venafi Senior System Engineer Bill Madell writes:
“[T]o promote and speed the continued adoption of an encrypted Web and to reduce consumer confusion surrounding security indicators, ... Chrome 69 appears to cease differentiating between DV/OV and EV certificates. Only a padlock will indicate the connection is encrypted; no more ‘green,’ no more ‘Secure’ chip, no more organization names.” Other browsers, including Apple’s Safari and Microsoft’s Edge, are following suit.
In addition, Helme argues that the use of EV certificates “encourage[s] really poor hygiene,” because it discourages regular key and certificate rotation. He writes:
“EV certificates are expensive, running into hundreds of dollars, and they're a pain to get, generally taking hours or days, and everybody wants to avoid the process as much as possible. This results in people going for the longest possible lifetime on their certs to avoid this whole painful process. I can totally understand the motivation behind that, but this really isn't the kind of thing we want to be encouraging. We need to be encouraging lower certificate lifetimes, not higher.”
Bisson’s aforementioned post provides several reasons why certain high-profile organizations should consider EV certificates, particularly to prevent against phishing scams. “[F]or EV certificates, CAs require a domain owner to provide extra documentation such as a signed subscriber agreement, a signed authorization form, and documentation verifying either their business or their EV request. A vetting partner then looks over all this information in an effort to verify the domain owner's name, legal existence, operational existence, physical existence, and other properties. Successful passage of the vetting process yields a fully validated EV certificate.” Because “attackers can't easily obtain an EV certificate, as the amount of verification leaves ample room for a CA to spot discrepancies in the bad actors' applications,” Bisson says.
Patrick Nohe of The SSL Store gives an example of Bisson’s argument for public-facing government websites. In the latter half of August, Microsoft was able to take down several fake government websites, including one designed to mimic the U.S. Senate website, that Fancy Bear launched for potential spear-phishing or malware attacks. All of these phony Russian websites used DV certificates, even for the U.S. Senate phishing site.
In contrast, the U.S. Senate uses an EV certificate. Nohe points out: “That’s why every public-facing government website, from the smallest municipalities all the way up to the largest federal institutions, needs to have an EV nameplate beside their URL in browsers’ address bars. This is one of the most direct ways for websites to assert their identity to their visitors. It’s unmistakable, it’s unfakeable and it reflects that the organization has been thoroughly vetted by a trusted Certificate Authority.”
Of course, Nohe’s assertion still has to contend with Google Chrome’s and other browsers’ changes in how they show EV certificates. Users (who, as I have admitted, don’t check this stuff carefully, if at all) will have even less incentive to check if there isn’t a clear way to differentiate EV certificates from their DV counterparts.
Nevertheless, it still makes sense for retailers, financial institutions and public-facing government entities to use EV certificates. For one thing, the effort in proving your identity to obtain one, as described above, means that those who are looking for that assurance can find it.
Perhaps, more importantly, you are following best practices as authorized by CA/B (CA/Browser Forum) and other industry groups. Consider this scenario: Your very important organization is breached. A reporter discovers you used a run-of-the-mill DV certificate that was hard to tell apart from an almost identical phishing site. In other words, you didn’t do everything under your power to secure your site. Now, maybe that reporter and their audience didn’t care about EV certificates before, but think of the potential fallout and outrage. With an EV certificate, you not only give yourself some additional protection, as spotty as it may be, you also prove that you are willing to do everything possible to protect your visitors.
Whatever you do, however, please don’t use EV certificates for the sake of convenience. Longer expiration dates do, as Helme points out, put you at greater risk if your site is breached. You need to have a solution in place that can quickly let you know if a certificate needs to be revoked or replaced. Venafi’s Trust Protection Platform helps you automate these processes and keeps your website and your organization as a whole by maintaining an inventory of all your keys and certificates, while protecting your machine identities in all of their forms.
What are your thoughts about the utility of EV certificates? Let us know in the comments or on Twitter!