SSL certificates are a core security reassurance tool to create trust online. However, the introduction of low assurance SSL certificates began to erode trust in the market. It became clear that a new approach was needed to protect legitimate businesses.
Phishing, pharming and other threats undermined the essential ingredient necessary to any online transaction trust.
That is why browser providers and other certification authorities have worked together through out the last few years to create a new level of trust online through new browser based identity indicators.
The Necessity for Extended Validation SSL Certificates
SSL Certificates help establish trust when doing business online. An SSL certificate enables a secure connection between the web server and the browser that connects to it, and the website's URL is prefixed with "https" instead of "http", along with a "lock" symbol to provide assurance.
SSL Certificates are issued by Certificate Authorities. They issue certificates after verifying the domain and organization of the requesting party. There are different types of SSL certificates carrying different levels of authorization. For domain-validated certificates, the CA verifies only the domain. This is quite an easy process, and mostly the issuance is automated. The organization is not validated and hence these are called as low assurance SSL certificates. Display of the same assurance symbols for both organization-validated SSL certificates and domain-validated SSL certificates resulted in confusion and loss of trust in even legitimate businesses.
This necessitated the development of Extended Validation SSL Certificates (EVSSL), and stringent rules were laid for the issuance of these certificates. As an added assurance, the address bar was also displayed in green color.
What is an EV SSL Certificate?
Extended Validation Certificates are issued by Certification Authorities (CA) after confirmation of your site identity and validation of your organization according to the rigorous industry guidelines established by the CA/Browser Forum. In addition to "https" before your website's URL, the address bar turns green to deliver a new level of trust to the website visitors.
Features and Advantages of EV SSL
- EV SSL Certificates are issued only after extensive and strict verification processes are done as recommended by the CA/Browser Forum.
- Website visitors will easily trust the website as a legitimate entity.
- The green browser address bar and Comodo's Trustmark visually assure your customers that your website is safe and secure for online transactions.
- EV Trustmark: A simple mouse-over displays your credentials, which further assures your identity to your customers.
Benefits of Extended Validation Certificate (EVSSL)
- More trust of identity, website, and business
- Protects your customers from phishing attacks
- Reduced shopping cart abandonment
- Increased conversion rates
- Highly-competitive price
- Ease of EV SSL deployment
Better Consumer Protection Through Stringent Guidelines
The CA Browser Forum has prescribed stringent guidelines for issuance of EV SSL certificates. A website or web page that’s secured with an EV SSL certificate will display a padlock in the address bar plus the address bar in green color or the name of the company/organization in green color. The display is different in different browsers. A Trustmark further displays credentials of the business inducing more trust.
The EV SSL is the strongest indication that can visually assure website visitors that the website owner can be trusted. The highest level of assurance of EV SSL certificates encourages website visitors to trust and complete transactions.
Extended Validation or EV SSL Certificates To achieve a new level of trust.
SSL certificates are a critical building block for secure electronic commerce and one of the ubiquitous uses of public key infrastructure (PKI). SSL certificates provide three security services confidentiality, authentication, and integrity so that users can:
- Securely communicate with a Web site so that information provided by the Internet user cannot be intercepted in transit (confidentiality)
- Or altered without detection (integrity)
- Verify that the Internet user is actually at the company's Web site and not an impostor's site (authentication).
This latter point is fundamental to understanding the need for EV SSL Certificates. With the proliferation of low assurance, domain only verified SSL certificates, there was no assurance that a certificate that could verify organization "ABC Company, Inc.". The user has no means to find out that ABC Company, Inc. is the legitimate owner of an Web site named www.abccompany.com - or come to the conclusion that the site: www.abc-company.com is just a fake. Without this authentication security, phishing can emerge and phishers trick unsuspecting Web surfers into doing business with someone pretending to be ABC Company, Inc.
To purchase this next generation EV SSL Certificate, an organization has to go through a validation process that meets the Extended Validation Guidelines established by the CA/Browser Forum. In addition to confirming domain name ownership, the process includes authenticating the authority of the contact person requesting the certificate, verification of the business with government or third party business registries, and other methods to assure the legal and physical existence of the business
Why is this point important?
Since the early days of the internet, leading browser providers such as Microsoft and Netscape/Mozilla or Opera have recognized the importance of identity assurance in SSL certificates and incorporated easy to understand icons (locks and keys) into their browsers to inform Web site visitors when an SSL session was invoked and consequently that their information would be secure in transit. Until recently, this simple approach worked well and facilitated the expansion of online commerce. However,changes in the SSL certificate marketplace pose a security risk with a potential threat to consumer confidence in the security of online commerce.
Newer guidelines will provide better consumer protection.
Till now, because of the way how SSL sessions have been displayed in browsers, phishers could potentially apply a padlock onto fraud sites through easily procured Low Assurance SSL Certificates. To close this security gap, Certificate Authorities (CA's) and browser vendors have taken action by giving consumers the means to distinguish between businesses validated High Assurance Certificates and domain only validated Low Assurance Certificates.
For example, in web browsers such as Microsoft Internet Explorer, Firefox, Opera, Chrome and Comodo Dragon, users will immediately see the green address bar or green padlock when they visit a web site secured with EV SSL. A display next to the URL will toggle between the organization name and the certificate and the Certificate Authority that issued the SSL Certificate. The green bar means that a third party has validated the legitimacy of the business, the business right to use the domain name, and the High-Assurance SSL Certificate was legitimately obtained.
Microsoft IE address bar for a site with an EV SSL
Firefox address bar for a site with an EV SSL
Chrome address bar for a site with an EV SSL
Comodo Dragon address bar for a site with an EV SSL