An extended validation (EV) certificate is a type of SSL/TLS certificate. It is highly valued because it requires the most amount of effort by a certificate authority (CA) to validate. As such, an EV certificate provides a high degree of trust for visitors to a website operated by the certificate owner.
Due to their intensive verification process, EV certificates are generally less common than other SSL certificates. On the opposite side of the scale, domain validated (DV) certificates are the most common type of SSL/TLS certificate. They only require verification using the domain name, validation which a domain owner achieves by confirming their email listed in the WHOIS record with the CA or placing a verification file on the website.
The next step up are organization validated (OV) certificates, which require more verification than DV certificates. For these digital files, CAs commonly request documentation verifying a domain owner's address and other organization information. If successfully obtained, OV certificates list the names of both the website and the company.
As for EV certificates, CAs require a domain owner to provide extra documentation such as a signed subscriber agreement, a signed authorization form, and documentation verifying either their business or their EV request. A vetting partner then looks over all this information in an effort to verify the domain owner's name, legal existence, operational existence, physical existence, and other properties. Successful passage of the vetting process yields a fully validated EV certificate, a digital file which shows the name of the company or organization in the address bar as well as displays the address bar in green.
Not everyone needs an EV SSL/TLS certificate for every instance. They are best reserved for high-profile websites that attackers commonly target for phishing attacks. Those generally include retailers, major technology brands, banks, and financial institutions.
EV certificates help protect against sophisticated phishing techniques. In response to a warier population of web users, fraudsters have turned to purchasing fraudulent "domain-only" SSL/TLS certificates for their convincing phishing domains. An example of this would be a certificate for paypa1.com (with the number 1 substituting for the lowercase letter "L"). This skin-deep level of apparent protection successfully fooled previous web browsers versions, as they were incapable of distinguishing between fully verified SSL/TLS certificates and easy-to-acquire "domain-only" digital files. As a result, many users thought these fake sites were real and willingly gave up their sensitive information.
By comparison, attackers can't easily obtain an EV certificate, as the amount of verification leaves ample room for a CA to spot discrepancies in the bad actors' applications. But if attackers are able to steal or compromise existing EV certificates, they have access to abuse a much wider range of trust.
Also, it's important that high-profile companies don't allow their EV certificates to expire. Failure to keep these highly trusted certificates up-to-date could raise a red flag in the minds of web visitors, causing a decline in business. To prevent this from happening, these domain owners should invest in a solution that monitors their certificates and automates the renewal process.
Related blogs