SSL certificates are a core security reassurance tool to create trust online. However, the introduction of low assurance SSL certificates began to erode trust in the market. It became clear that a new approach was needed to protect legitimate businesses.

Phishing, pharming and other threats undermined the essential ingredient necessary to any online transaction trust.

That is why browser providers and other certification authorities have worked together through out the last few years to create a new level of trust online through new browser based identity indicators.

The Necessity for Extended Validation SSL Certificates

SSL Certificates help establish trust when doing business online. An SSL certificate enables a secure connection between the web server and the browser that connects to it, and the website's URL is prefixed with "https" instead of "http", along with a "lock" symbol to provide assurance.

SSL Certificates are issued by Certificate Authorities. They issue certificates after verifying the domain and organization of the requesting party. There are different types of SSL certificates carrying different levels of authorization. For domain-validated certificates, the CA verifies only the domain. This is quite an easy process, and mostly the issuance is automated. The organization is not validated and hence these are called as low assurance SSL certificates. Display of the same assurance symbols for both organization-validated SSL certificates and domain-validated SSL certificates resulted in confusion and loss of trust in even legitimate businesses.

This necessitated the development of Extended Validation SSL Certificates (EVSSL), and stringent rules were laid for the issuance of these certificates. As an added assurance, the address bar was also displayed in green color.

What is an EV SSL Certificate?

Extended Validation Certificates are issued by Certification Authorities (CA) after confirmation of your site identity and validation of your organization according to the rigorous industry guidelines established by the CA/Browser Forum. In addition to "https" before your website's URL, the address bar turns green to deliver a new level of trust to the website visitors.

Features and Advantages of EV SSL

Benefits of Extended Validation Certificate (EVSSL)

Better Consumer Protection Through Stringent Guidelines

The CA Browser Forum has prescribed stringent guidelines for issuance of EV SSL certificates. A website or web page that’s secured with an EV SSL certificate will display a padlock in the address bar plus the address bar in green color or the name of the company/organization in green color. The display is different in different browsers. A Trustmark further displays credentials of the business inducing more trust.

The EV SSL is the strongest indication that can visually assure website visitors that the website owner can be trusted. The highest level of assurance of EV SSL certificates encourages website visitors to trust and complete transactions.

Extended Validation or EV SSL Certificates To achieve a new level of trust.

SSL certificates are a critical building block for secure electronic commerce and one of the ubiquitous uses of public key infrastructure (PKI). SSL certificates provide three security services confidentiality, authentication, and integrity so that users can:

This latter point is fundamental to understanding the need for EV SSL Certificates. With the proliferation of low assurance, domain only verified SSL certificates, there was no assurance that a certificate that could verify organization "ABC Company, Inc.". The user has no means to find out that ABC Company, Inc. is the legitimate owner of an Web site named www.abccompany.com - or come to the conclusion that the site: www.abc-company.com is just a fake. Without this authentication security, phishing can emerge and phishers trick unsuspecting Web surfers into doing business with someone pretending to be ABC Company, Inc.

To purchase this next generation EV SSL Certificate, an organization has to go through a validation process that meets the Extended Validation Guidelines established by the CA/Browser Forum. In addition to confirming domain name ownership, the process includes authenticating the authority of the contact person requesting the certificate, verification of the business with government or third party business registries, and other methods to assure the legal and physical existence of the business

Why is this point important?

Since the early days of the internet, leading browser providers such as Microsoft and Netscape/Mozilla or Opera have recognized the importance of identity assurance in SSL certificates and incorporated easy to understand icons (locks and keys) into their browsers to inform Web site visitors when an SSL session was invoked and consequently that their information would be secure in transit. Until recently, this simple approach worked well and facilitated the expansion of online commerce. However,changes in the SSL certificate marketplace pose a security risk with a potential threat to consumer confidence in the security of online commerce.

Newer guidelines will provide better consumer protection.

Till now, because of the way how SSL sessions have been displayed in browsers, phishers could potentially apply a padlock onto fraud sites through easily procured Low Assurance SSL Certificates. To close this security gap, Certificate Authorities (CA's) and browser vendors have taken action by giving consumers the means to distinguish between businesses validated High Assurance Certificates and domain only validated Low Assurance Certificates.

For example, in web browsers such as Microsoft Internet Explorer, Firefox, Opera, Chrome and Comodo Dragon, users will immediately see the green address bar or green padlock when they visit a web site secured with EV SSL. A display next to the URL will toggle between the organization name and the certificate and the Certificate Authority that issued the SSL Certificate. The green bar means that a third party has validated the legitimacy of the business, the business right to use the domain name, and the High-Assurance SSL Certificate was legitimately obtained.

Microsoft IE address bar for a site with an EV SSL
EV SSL Address bar in Microsoft IE

Firefox address bar for a site with an EV SSL
EV SSL Green Address bar in Firefox

Chrome address bar for a site with an EV SSL
EV SSL Green Address bar in Chrome

Comodo Dragon address bar for a site with an EV SSL
EV SSL Green Address bar in Comodo Dragon

© Comodo CA Limited . All Rights Reserved.