What is an EV SSL certificate?
An Extended Validation certificate (also called an EV SSL certificate) is a specialized form of SSL/TLS certificate. It has undergone a rigorous validation process by a Certificate Authority (CA) to ensure the authenticity and legitimacy of a website. This thorough validation is necessary for trusted entities such as well-known brands, banks, and Fortune 500 companies. It verifies essential details such as the website domain, ownership, and the legal, physical, and operational identity of the applicant.
Due to their intensive verification process, EV certificates are generally less common than other SSL certificates. On the opposite side of the scale, domain validated (DV) certificates are the most common type of SSL/TLS certificate. They only require verification using the domain name, validation which a domain owner achieves by confirming their email listed in the WHOIS record with the CA or placing a verification file on the website.
TLS Machine Identity Management for Dummies
The case for EV (extended validation) certificates
As we have already discussed, EV certificates require enterprises to invest more time and effort than the certificates validated by a domain or an organization (DV or OV certificates). Certificate authorities (CAs) argue that EV certificates offer a higher level of assurance against fraudulent use because they verify that a trusted third party (the CA) has authenticated an organization’s identity and scrutinized information for domain names considered high-risk for phishing and other counterfeit activities.
Still, others argue that EV certificates may be far too dependent on the user behaving a certain way in order for this security mechanism to work.
So, the question to be answered is “What are the pros and cons of EV Certificates?”.
The pros of EV certificates
Although EV certificates verify the identity of the owner of a specific website, there is a problem that the company name behind a domain might not be related to the branding on the website due to parent/subsidiary companies and other various legal structures. This might lead to much confusion as the user must first know the domain name of the company they want to visit; then must know the legally registered name of the company they want to visit and finally must validate that the name and domain are correctly shown by the browser.
Another perk pertains to the revocation verification process. Initially, Certificate Revocation Lists (CRLs) listed all revoked certificates, causing download issues. The Online Certificate Status Protocol (OCSP) emerged to tackle this. However, OCSP faced challenges like CA unavailability and privacy concerns. OCSP Stapling solved this by having the host site make the request, attaching the response to the certificate. This short-lived, CA-signed response instills trust in clients.
EV certificates support OCSP stapling, which is actually a tangible and provable benefit, but it's not properly communicated to site operators that they absolutely must enable OCSP stapling, or it will slow down their website whilst leaking their visitors browsing data to the CA or potentially make it unavailable in some rare circumstances.
The cons of EV certificates
EV certificates depend too much on the user. Depending on the user isn’t a security mechanism that works. We shouldn't expect and require the user to validate the identity of the company owner and the domain every single time manually and correctly when they visit a page. If EV is to be successful it needs technical measures that can be enforced without relying on the user. Without a way to enforce EV and shed the dependency on the user, EV will never be reliable because the user is not reliable.
As Scott Helme argues, EV certificates encourage poor hygiene because people and organizations try to avoid the painful and time-consuming process of issuing another expensive EV certificate. Therefore, they opt-in for the longest possible lifetime on their certificates. Encouraging sites to use longer validity periods on certificates is bad for security and bad for the ecosystem. We need to be encouraging lower certificate lifetimes, not higher.
Another problematic area, besides the obvious effort of CAs to sell expensive certificates and make more money, is the lack of adequate user training around the use of EV certificates. If users aren't aware of what EV indicators are or mean, then the added value they provide is close to zero.
In addition, with the rise of the mobile platform, an ever-increasing portion of browsing takes place on mobile devices. Most iOS or Android browsers do not display the EV UI on mobile platforms, or the difference is so little that is barely noticed. So, what is the gain of using EV certificates if you cannot increase the level of trust of your client?
One final thought. If you have an EV certificate it means you registered a company name. An EV indicator does not mean a site is trustworthy, it does not mean a site will not phish you, it does not mean anything other than the domain is owned by a registered legal entity. Let alone that on the thriving certificate market on the dark web you can find stolen EV certificates for just under $2000.
As Troy Hunt points out correctly, the bottom line is that the effectiveness of EV certificates is entirely dependent on people recognizing what they mean and adapting their behavior accordingly. It's hard to argue with that.
EV SSL certificates vs DV and OV certificates
Due to their intensive verification process, EV certificates are generally less common than other SSL certificates. On the opposite side of the scale, domain validated (DV) certificates are the most common type of SSL/TLS certificate. They only require verification using the domain name, validation which a domain owner achieves by confirming their email listed in the WHOIS record with the CA or placing a verification file on the website.
The next step up are organization validated (OV) certificates, which require more verification than DV certificates. For these digital files, CAs commonly request documentation verifying a domain owner's address and other organization information. If successfully obtained, OV certificates list the names of both the website and the company.
With EV certificates, Certificate Authorities (CAs) demand additional documentation from domain owners, including signed agreements and proof of business or EV request. A vetting partner meticulously scrutinizes this data to confirm the domain owner's identity, legal and operational existence, physical presence, and other attributes. Once the vetting process is successfully navigated, a fully validated EV certificate is issued. This digital document prominently features the company or organization's name in the address bar and highlights the bar in green, providing enhanced security and assurance.
Do you need extended validation certificates?
Not all entities require an EV certificate. It's crucial for organizations to assess the extra benefits, if any, that EV certificates offer. These certificates are most suitable for websites often targeted by phishing attacks. Retailers, financial institutions, and public-facing government bodies, for instance, benefit greatly from EV certificates. The thorough identity verification process involved in obtaining these certificates ensures that those seeking assurance can rely on them.
Much depends on the perspective. Enterprises that adopt a user-centric philosophy will continue to generate value provided by technology by embracing risk and managing it in a way that’s productive for their business. But what about the machines?
Banks, specifically, should take a closer look at the fundamentals of securing the machine identities used by banking applications. Machines talk to other machines, whether they’re servers, laptops, applications or mobile devices. And we all know how important it is for those communications to be secure, particularly when it comes to mobile banking.
Encryption gives users the assurance that their machine (or mobile device) is communicating with the machine it should be talking to and that those communications are secure from eavesdropping. This is where the keys and certificates become essential as the tools that the machine uses to validate the machine identities on both sides of the communications.
As you work to secure your website and keep online information private, you will find increased trust from your customers, and increased peace of mind. If you would like to learn more about protecting your digital certificates with Venafi, contact us today.