Skip to main content
banner image
venafi logo

The Evolving Roles of EV, OV and DV Machine Identities

The Evolving Roles of EV, OV and DV Machine Identities

November 29, 2021 | Anastasios Arampatzis

As businesses reply more and more on machines to meet their operational objectives, the need to validate the identities of these machines is becoming ever more critical. Most machine identities come in the form of SSL/TLS certificates. But there are other types, such as SSH and code signing keys.

As we introduce more TLS machine identities to support digital transformation, we need to answer some difficult questions. For example, does it still make sense to pay more for more secure Extended Validation (EV) or Organization Validated (OV) certificates? Or is it better to increase your use of less expensive or free Domain Validated (DV) certificates? And how will you measure the security of any of these types of certificates without an effective machine identity management program?

Do you know enough about machine identities? Get the Dummies Guide.
More About Extended Validation and Organization Validation Certificates

A quick background on EV and OV certificates

In the past, it made perfect sense to use EV certificates for areas where you needed to demonstrate the highest levels of security. And that may still be the case for many business functions. Case in point: EV certificates were credited with boosting confidence in online shopping. However, most consumers today use their mobile devices to make purchases online, and therefore, the value of EV certificates seems to have diminished—mobile browsers don't display EV indicators at all.

Many organizations are willing to pay more for EV certificates in regulated industries, such as banking and healthcare. The key argument for this continued usage is that the expensive EV certificates are more secure than cheaper DV certificates—or even free certificates offered by Certificate Authorities (CA) such as Let’s Encrypt.

Another argument made for EV certificates was that their visible indicators (a green badge appearing on the left of a URL bar) would raise awareness for the visitors of these sites to be more careful with their online behavior. That was far from true. As security researcher Troy Hunt pointed out, the top 10 largest sites, including Google, YouTube, Twitter, and Facebook, don't use EV certificates, so many users aren't trained to look for the indicators that the certificates provide.

And then came the announcements of Google and Firefox, saying that they “remove Extended Validation (EV) indicators from the identity block (the left-hand side of the URL bar which is used to display security / privacy information).” Some announced the death of EV certificates. In fact, I went so far as to write that “it’s the end of the world as we know it” for EV certificates.

Are extended validation SSL certificates gone for good?

Are there new or different use cases for EV and OV certificates now that we’ve seen an explosion of certificates due to DevOps and digital transformation? Scott Carter, Head of Content Strategy at Venafi, has some interesting questions to reflect upon: “Is it worth investing in more secure certificates or just get better machine identity management? And do your consumers notice or care?”

The topic of purchasing EV or OV certificates remains quite controversial. The CAs want to say that EV or OV certificates have more value because they’ve been “validated” but the reality is that these processes have been actively spoofed by attackers, potentially undermining their value.

Research sponsored by Venafi and undertaken by researchers at the Evidence-based Cybersecurity Research Group, at the Andrew Young School of Policy Studies at Georgia State University and the University of Surrey uncovered thriving marketplaces for TLS certificates being sold individually, and packaged with a wide range of crimeware. Together these services deliver machine-identities-as-a-service to cybercriminals, who wish to spoof websites, eavesdrop on encrypted traffic, perform man-in-the-middle attacks, and steal sensitive data.

“TLS certificates that act as trusted machine identities are clearly a key part of cybercriminal toolkits—just like bots, ransomware and spyware. There is a lot more research to do in this area, but every organization should be concerned that the certificates used to establish and maintain trust and privacy on the internet are being weaponized and sold as commodities to cybercriminals,” said Kevin Bocek, vice president of security and threat intelligence for Venafi.

That being said, many larger companies still rely on EV and OV certificates. However, given the rapid increase in Let’s Encrypt certificates, there’s clearly a large section of the market that agrees that the use cases for EV or OV may be diminishing with organizations. The flip side of the argument is that the Let’s Encrypt certificates last only 90 days (primarily for security reasons), so you will need to invest in solutions that help you manage these certificates effectively.

Whether you choose DV, EV or OV, machine identity management is critical

With the abundance of machines each organization relies on—ranging from distributed IoT devices to cloud workloads—it’s crucial that they effectively identify and protect the confidentiality, integrity and authenticity of these machines. All digital certificates allow you to encrypt data in transit, authenticate connected devices and ensure the integrity of your data. But none of them are as effective as they could be without a robust machine identity management solution in place.

So, instead of spending your budget to purchase more expensive certificates, you may want to consider the value of investing in strong machine identity management solutions that enable robust management policies and practices. Machine identity management platforms, such as Venafi’s Trust Protection Platform, allow you to automate the entire certificate lifecycle management and dramatically reduce security risks. Machine identity management solutions give you the visibility, intelligence, and automation to protect machine identities throughout your organization.

If you wish to learn more about how Trust Protection Platform can help you, contact our experts. We will be glad to listen to your needs and concerns and find a solution to satisfy your business security requirements.

Related posts

Like this blog? We think you will love this.
how ssh works
Featured Blog

How Secure Shell (SSH) Keys Work

How it works SSH is a type of network protocol that creates a cryptographically secure

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Anastasios Arampatzis
Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more