An extended validation (EV) certificate is a type of SSL/TLS certificate. It is highly valued because it requires the most amount of effort by a certificate authority (CA) to validate. As such, an EV certificate provides a high degree of trust for visitors to a website operated by the certificate owner.
Due to their intensive verification process, EV certificates are generally less common than other SSL certificates. On the opposite side of the scale, domain validated (DV) certificates are the most common type of SSL/TLS certificate. They only require verification using the domain name, validation which a domain owner achieves by confirming their email listed in the WHOIS record with the CA or placing a verification file on the website.
For EV certificates, CAs require a domain owner to provide extra documentation such as a signed subscriber agreement, a signed authorization form, and documentation verifying either their business or their EV request. A vetting partner then looks over all this information in an effort to verify the domain owner's name, legal existence, operational existence, physical existence, and other properties. Successful passage of the vetting process yields a fully validated EV certificate, a digital file which shows the name of the company or organization in the address bar as well as displays the address bar in green.
As we have already discussed, EV certificates require enterprises to invest more time and effort than the certificates validated by a domain or an organization (DV or OV certificates). Certificate authorities (CAs) argue that EV certificates offer a higher level of assurance against fraudulent use because they verify that a trusted third party (the CA) has authenticated an organization’s identity and scrutinized information for domain names considered high-risk for phishing and other counterfeit activities.
Still, others argue that EV certificates may be far too dependent on the user behaving a certain way in order for this security mechanism to work.
So, the question to be answered is “What are the pros and cons of EV Certificates?”.
Although EV certificates verify the identity of the owner of a specific website, there is a problem that the company name behind a domain might not be related to the branding on the website due to parent/subsidiary companies and other various legal structures. This might lead to much confusion as the user must first know the domain name of the company they want to visit, then must know the legally registered name of the company they want to visit and finally must validate that the name and domain are correctly shown by the browser.
Another benefit is related with the revocation checking process. First of all, a bit of background information on revocation checking. In the early days of the web the Certificate Revocation Lists, or CRLs were lists of all certificates that a CA had revoked and could be downloaded by a client to check if the certificate they were served had been revoked. These lists became larger and larger and eventually downloading these large files became a problem, thus the Online Certificate Status Protocol, or OCSP, was born. Instead of the client downloading a list of all revoked certificates, they would submit a request to the CA to check the status of the specific certificate they had received. OCSP was riddled with problems like poor CA infrastructure being unavailable and the privacy concern of clients leaking the site they were visiting to the CA. To get around this problem OCSP Stapling was created. Instead of the client making the OCSP request to the CA, the host website would make the request and 'staple' the response to the certificate when they served it. Because the OCSP response is short lived and digitally signed by the CA, the client can trust the stapled OCSP response.
EV certificates support OSCP stapling which is actually a tangible and provable benefit, but it's not properly communicated to site operators that they absolutely must enable OCSP stapling or it will slow down their website whilst leaking their visitors browsing data to the CA or potentially make it unavailable in some rare circumstances.
EV certificates depend too much on the user. Depending on the user isn’t a security mechanism that actually works. We shouldn't expect and require the user to manually and correctly validate the identity of the company owner and the domain every single time they visit a page. If EV is to be successful it needs some kind of technical measure that can be enforced without relying on the user. Without a way to enforce EV and shed the dependency on the user, EV will never be reliable because the user is not reliable.
As Scott Helme argues, EV certificates encourage poor hygiene because people and organizations try to avoid the painful and time consuming process of issuing another expensive EV certificate. Therefore, they opt-in for the longest possible lifetime on their certificates. Encouraging sites to use longer validity periods on certificates is bad for security and bad for the ecosystem. We need to be encouraging lower certificate lifetimes, not higher.
Another problematic area, besides the obvious effort of CAs to sell expensive certificates and make more money, is the lack of adequate user training around the use of EV certificates. If users aren't aware of what EV indicators are or mean, then the added value they provide is close to zero.
In addition, with the rise of the mobile platform, an ever-increasing portion of browsing takes place on mobile devices. Most iOS or Android browsers do not display the EV UI on mobile platforms, or the difference is so little that is barely noticed. So what is the gain of using EV certificates if you cannot increase the level of trust of your client?
One final thought. If you have an EV certificate it means you registered a company name. An EV indicator does not mean a site is trustworthy, it does not mean a site will not phish you, it does not mean anything other than the domain is owned by a registered legal entity. Let alone that on the thriving certificate market on the dark web you can find stolen EV certificates for just under $2000.
As Troy Hunt points out correctly, the bottom line is that the effectiveness of EV certificates is entirely dependent on people recognizing what they mean and actually adapting their behavior accordingly. It's hard to argue with that.
Not everyone needs an EV certificate. Organizations need to examine the added value of EV certificates, if any. They are best reserved for high-profile websites that attackers commonly target for phishing attacks. It makes perfect sense for retailers, financial institutions and public-facing government entities to use EV certificates. For one thing, the effort in proving your identity to obtain one, means that those who are looking for that assurance can find it.
Much depends on the perspective. Enterprises that adopt a user-centric philosophy will continue to generate value provided by technology by embracing risk and managing it in a way that’s productive for their business. But what about the machines?
Banks, specifically, should take a closer look at the fundamentals of securing the machine identities used by banking applications. Machines talk to other machines, whether they’re servers, laptops, applications or mobile devices. And we all know how important it is for those communications to be secure, particularly when it comes to mobile banking.
Encryption gives users the assurance that their machine (or mobile device) is communicating with the machine it should be talking to and that those communications are secure from eavesdropping. This is where the keys and certificates become absolutely essential as the tools that the machine uses to validate the machine identities on both sides of the communications.
As you work to secure your website and keep online information private, you will find increased trust from your customers, and increased peace of mind. If you would like to purchase SSL certificates or have more questions about your website security, contact us today.