SSL certificates are a core security reassurance tool to create trust online. However, the introduction of low assurance SSL certificates began to erode trust in the market. It became clear that a new approach was needed to protect legitimate businesses.
Phishing, pharming and other threats undermined the essential ingredient necessary to any online transaction trust.
That is why browser providers and other certification authorities have worked together through out the last few years to create a new level of trust online through new browser based identity indicators.
Extended Validation or EV SSL Certificates To achieve a new level of trust.
SSL certificates are a critical building block for secure electronic commerce and one of the ubiquitous uses of public key infrastructure (PKI). SSL certificates provide three security services confidentiality, authentication, and integrity so that users can:
- Securely communicate with a Web site so that information provided by the Internet user cannot be intercepted in transit (confidentiality)
- Or altered without detection (integrity)
- Verify that the Internet user is actually at the company's Web site and not an impostor's site (authentication).
This latter point is fundamental to understanding the need for EV SSL Certificates. With the proliferation of low assurance, domain only verified SSL certificates, there was no assurance that a certificate that could verify organization "ABC Company, Inc.". The user has no means to find out that ABC Company, Inc. is the legitimate owner of an Web site named www.abccompany.com - or come to the conclusion that the site: www.abc-company.com is just a fake. Without this authentication security, phishing can emerge and phishers trick unsuspecting Web surfers into doing business with someone pretending to be ABC Company, Inc.
To purchase this next generation EV SSL Certificate, an organization has to go through a validation process that meets the Extended Validation Guidelines established by the CA/Browser Forum. In addition to confirming domain name ownership, the process includes authenticating the authority of the contact person requesting the certificate, verification of the business with government or third party business registries, and other methods to assure the legal and physical existence of the business
Why is this point important?
Since the early days of the internet, leading browser providers such as Microsoft and Netscape/Mozilla or Opera have recognized the importance of identity assurance in SSL certificates and incorporated easy to understand icons (locks and keys) into their browsers to inform Web site visitors when an SSL session was invoked and consequently that their information would be secure in transit. Until recently, this simple approach worked well and facilitated the expansion of online commerce. However,changes in the SSL certificate marketplace pose a security risk with a potential threat to consumer confidence in the security of online commerce.
Newer guidelines will provide better consumer protection.
Till now, because of the way how SSL sessions have been displayed in browsers, phishers could potentially apply a padlock onto fraud sites through easily procured Low Assurance SSL Certificates. To close this security gap, Certificate Authorities (CA's) and browser vendors have taken action by giving consumers the means to distinguish between businesses validated High Assurance Certificates and domain only validated Low Assurance Certificates.
For example, in web browsers such as Microsoft Internet Explorer, Firefox, Opera, Chrome and Comodo Dragon, users will immediately see the green address bar or green padlock when they visit a web site secured with EV SSL. A display next to the URL will toggle between the organization name and the certificate and the Certificate Authority that issued the SSL Certificate. The green bar means that a third party has validated the legitimacy of the business, the business right to use the domain name, and the High-Assurance SSL Certificate was legitimately obtained.
Microsoft IE address bar for a site with an EV SSL
Firefox address bar for a site with an EV SSL
Chrome address bar for a site with an EV SSL
Comodo Dragon address bar for a site with an EV SSL