The Value of EV Certificates

Guest writer:
Bruce C. Morton, Entrust Datacard
Director of Certificate Services, Entrust Certificate Services

In my role at Entrust Datacard, I get to examine SSL (Secure Sockets Layer) and its benefits from quite a few perspectives. I had the opportunity to review a verification issue last week, and it had me thinking of the value of EV certificates. EV (Extended Validation) SSL Certificates lend more credibility to your website compared to using an organisation or domain validated SSL Certificate.

First for every SSL/TLS (Transport Layer Security) certificate request, our verification teams goes through a validation process to authenticate the identity, ownership or control of the domain name, and authorisation to issue the certificate. This process is increased substantially for Extended Validation (EV) certificates. In this case, the identity is confirmed with the registration source and authorisation is elevated to include confirming certificate issuance, and the contract approver is authorised.

Watch Clip: What does Entrust EV SSL mean for you?

In the case of the verification issue, the applicant requested a certificate for the verified domain wvvw.paypal-secure.com. Their address information was confusing, but they had a great web page.

Example 1

Oops! Their page looks like a phishing site for PayPal. Best to check how the actual PayPal site looks.

Example 2

Very similar, but notice the difference in the status bar.

Example 3Example 4

All browsers have areas shown to the user which cannot be changed by the website administrator. The status bar is in this area. The browser uses the status bar to present site location and security information, which is based on the domain name, HTTP versus HTTPS, and certificate type.

What sets the legitimate PayPal site apart from the phishing site is their EV certificate type. With an EV certificate, browsers will use a green indication around the lock icon and will display the website owner’s identity. As such, your legitimate website will display trust through the green indication and your verified identity. It will show more trust than a phishing site as it is very difficult for an attacker to get an EV certificate with your identity.

Also, an EV certificate can help prevent a man-in-the-middle (MITM) attack. Over the last few years, we have seen MITM vulnerabilities when a root CA has issued an intermediate CA certificate to an end user (e.g., Trustwave, TURKTRUST, ANNSI and CNNIC). We have also seen MITM vulnerabilities by poor software design (e.g., Superfish, Komodia and PrivDog).

The advantage of EV is the root certificate must have metadata provided by the browser to state that it is trusted for EV. The metadata is only available once the CA has met the browser required EV qualifications. As such the metadata is not available when an attacker creates their root or issuing CA. As Gibson Research states, Extended Validation is completely spoof proof.

If you deploy an EV certificate, I recommend that you consider making effort to show your users the level of security you are providing. You want your users to know they are at your trusted site when they see the green bar. You also want them to be suspicious when they don’t see the green bar.

Take a deeper dive into how EV SSL can boost your business with the Entrust Datacard whitepaper The Business Value of Extended Validation.