Skip to main content
banner image
venafi logo

Do Banks Undervalue Extended Validation (EV) Certificates?

Do Banks Undervalue Extended Validation (EV) Certificates?

extended validation certificates banking
January 9, 2019 | Wilson Yan

As I wrote in my last blog I was recently in an emerging market in South East Asia to meet with local and global banks. Not only did I uncover some interesting challenges with self-signed certificate for internal encryption, I discovered some surprising thinking about external certificates. Even though the value of their business is based on the trust they can offer their customers, many of the banks in South East Asia do not extend that trust to their HTTPS environments.

While discussing the relative merits of machine identity protection in securing keys and certificates, I learned that these banks just don't understand the concept of value in external certificates. This point was driven home to me when I learned that a major regional economic development bank was using consumer-grade DV certificates for their external web pages. That is a great example of the sort of knowledge gap that some of these banks have.

Granted, the enterprise banks, the commercial banks, they are a bit better. They are using extended validation (EV) certificates from powerhouse certificate authorities. But, some of the government-linked banks are just using whatever's the cheapest certificates they can find. As long as their sites have that new lock, they're happy. So, they don’t yet realize that there's a difference between the value that you pay for those certificates from the big players, versus domain-validation certificates, for example.

First, I try to explain the value of a certificate in real terms. With a domain-validated certificate, you need to go through certain levels of verification. So, as long as domain is owned by you, you have an email address, then you can request for it. What that really means is that anyone within your organization can request a certificate. Okay. So, if it’s a rogue admin that requests the certificate? Big problem, right? What if the requestor isn’t even an admin, just an employee with an email account? Or employees with an email account that where their credentials were hacked?

On the other hand, with extended validation certificate, you gain the assurance that the certificate request has been run through a battery of additional checks. This process is like a multi-factor authentication in that it is designed to gain a depth of information about the identity of the requester before the CA will grant them an EV certificate.

If that doesn’t hit home, here’s an example I use to illustrate the value of using highly-trusted certificates. I compare the process to going through immigration at the airport. To pass through immigration you have a passport. For you to get a passport, you have to prove your identity to the passport registration authority. You get your picture taken, you imprint your thumb prints, you submit a copy of your birth certificate to prove your citizenship. Then, only after a period of validation, you get your passport. International authorities will now trust your identity across borders. Even then, you may still have to validate yourself again, using facial recognition and whatnot.

Now, let’s compare that to a form of identification that is not so widely trusted. Let’s look at a type of ID that’s not so hard to obtain. Let’s look at library cards. When you go and get a library card, all you have to do is provide your name, prior photo, and then proof of address. And then you get a library card. Great. The library says it’s you. So, now, if you pass through immigration, and you bring your library card along, that should prove your identity, right? No. The passport agency can’t trust you based on a lesser form of identification that hasn’t undergone in-depth validation.

Now, let’s look at this scenario in terms of certificates. A domain-validated certificate is like a library card. You did actually prove that you are you. But only in a very basic way. An EV certificate, on the other hand, is like a passport. It has gone through a much more rigorous validation. So, you can trust it with a higher level of confidence. This is when eyes at the bank really start to open. Now we’re talking about certificates in terms of a difference in value and quality.

Which is the type of confidence that you’d like to instill in your customers? Are you going to show them a library card or a passport?

Related posts

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection
Industry Research

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection

Machine Identity Protection for Dummies
eBook

Machine Identity Protection for Dummies

About the author

Wilson Yan
Wilson Yan

A self-proclaimed "digital security problem solving zealot", Wilson is a Principle Consultant of Information Technology at Venafi. He is responsible for driving deployment of Venafi’s solutions across Singapore, Australia and Macau, and securing PKI certificates and keys.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat