Extended Validation (EV) SSL Certificates

December 30th, 2009

Standard SSL Certificates are issued by an Certificate Authority (CA) such as Thawte after the CA performs some basic standard validation on the identity of the certificate request to ensure that the certificate is not issued to “the wrong hands”.

The types of validation performed for standard SSL certificates vary by the type and cost of the certificate, but include:

  • A confirmation email message sent to the domain administrator as specified in the domain’s entry in the WHOIS database
  • A confirmation email message sent to a standard administrative email address at the domain itself, such as “admin@domain.com”.
  • The name of the organization owning the domain name may be validated.

You should purchase SSL Certificates that use the above forms of validation in order to:

  • Provide excellent encryption
  • Demonstrate a level of trust to the end user based on the amount of validation performed and the reputation of the Certificate Authority

So, What is the Scoop on the Extended Validation SSL Certificate?

In order to make it more clear to end users that a site is legitimate, Extended Validation certificates were introduced. These:

  • Require the Certificate Authority to perform a much more detailed validation of the request and the requesting people.
  • Make it visually obvious to the end user that an Extended Validation SSL Certificate is in use.

The net result is that the end user can differentiate sites that use these more trusted certificates and thus

  • Feel confident in the quality of the SSL certificate
  • Be sure that they are viewing the desired web site and not a phishing site trying to trick the end user
  • The end user does not need any technical knowledge to feel “more secure”.

What validation is required for Extended Validation?

Certificate Authorities issuing Extended Validation SSL Certificates must:

  • Establish the legal identity as well as the operational and physical presence (i.e. address) of the website owner;
  • Establish that the applicant is the domain name owner or has exclusive control over the domain name; and
  • Confirm the identity and authority of the individuals acting for the website owner, and that documents pertaining to legal obligations are signed by an authorized officer.

These validation checks require that the CA:

  • Look up details of the organization in several online databases.
  • Contact the applicant via email and phone to ask questions and validate the answers.
  • Have the applicant verify his/her identity and authority in the organization to request the certificate.
  • Have the applicant provide contact information for Human Resources in the organization to verify the applicant’s authority, if the applicant is not already a senior staff member.
  • Have the applicant FAX back written confirmations.
  • Optionally perform other validations.

In the end, the CA will know for sure that the request originated from the organization owning the domain and from an individual authorized to request the certificate.  This is far more detail that is afforded by other types of SSL certificate validation.  As a result, end users can be much more sure that a site using an EV SSL Certificate is the desired site and not a phishing site.  They can also know that the site they are visiting takes security seriously.

How can end users tell an Extended Validation Certificate is in use?

When visiting a web site that is using an Extended Validation SSL Certificate, the “address bar” of the web browser will clearly indicate that by:

  • Displaying the full name of the organization owning the SSL certificate in green.
  • If you mouse over or click on the name of the organization, the name of the Certificate Authority issuing the certificate will be displayed.

When an end user goes to a secure site that is using an EV certificate, they will see “green” in the address bar.  End users then associate “green sites” with “very secure sites”.  Simple, clear, concise, no technical knowledge needed.

For an example, see https://luxsci.com and check out the address bar of your browser.  LuxSci uses an Extended Validation certificate provided by Thawte.com.

What are the benefits of an Extended Validation Certificate?  Is it worth it?

Extended Validation SSL Certificates cost more than other types of certificates — significantly more.  The reason is clear — it takes considerably more work on the part of the Certificate Authority to perform all of the required validation steps.  If your budget allows, an EV SSL Certificate may be good investment.  Your decision depends upon how much your organization or website depends on the image of security it portrays to its users.

If it is very important that users feel safe and secure when visiting your site, (e.g. financial institutions, tax preparers, legal and medical firms), you should take steps to protect them from any kind of phishing attack. Extended Validation SSL Certificates offer a visible acknowledgment that you value your end users’ privacy and security on your website.  If you need SSL for basic security and your users do not pay much attention to the degree of trust or the possibility of phishing, or if cost is a constraint, then a standard SSL certificate, from a reputable CA, is acceptable.