Role of Extended Validation SSL Certificates in Establishing Trust Online

The SSL protocol and certificates are used by millions of banks and e-commerce merchants to protect their customers and ensure their online transactions remain confidential. SSL certificates are provided by certification authorities (CA), and consumers have grown to associate the 'yellow padlock' as an indication of trust in the web site. Trust is the critical precursor to converting visitors into paying customers.

Yet given the number of people on the Internet, the volume of e-commerce sales is surprisingly low.

The reason conversion is lower than expected is fear of online fraud. This fear is well founded. Gartner reports nearly two million Americans were victims of fraud over the Internet during a recent 12-month period. Gartner estimates that 57 million Internet users in the United States have received email related to phishing scams that impersonate popular websites; about 1.8 million people consequently divulged personal information. Three-fourths of phishing attacks have occurred in the previous six months.

The new EV SSL certificates prevent all this and more. For the first time, the browsers will allow consumers to distinguish between vetted online businesses and those whose identity can not be verified.

And the businesses that win peoples' trust will win their business too!

The Role of Trust in Creating Customers

Over the past 10 years, consumer magazines, industry bodies and security providers have educated the market on the basics of online security. The majority of consumers now expect security to be integrated into any online service and for most Users that means seeing the yellow padlock.

For many customers, the only time they will ever consider buying your products or services online are when they are satisfied their details are secure. Using an SSL Certificate to secure your online business indicates to your customers that you take their security seriously. They will visibly see that their transactions are secure and confidential.

For the first time, web browsers such as Internet Explorer, Opera, Firefox, Chrome and Comodo Dragon will allow consumers to distinguish between vetted online businesses and those whose identity can not be verified. The address bar of these web browsers turns green whenever a customer visits a website secured with an Extended Validation SSL Certificate..

Microsoft IE address bar for a site with an EV SSL

Firefox address bar for a site with an EV SSL

Chrome address bar for a site with an EV SSL

Comodo Dragon address bar for a site with an EV SSL

Apple Safari address bar for a site with an EV SSL

Establishing trust online is first about establishing identities. A user, presumably, can verify the site's identity by looking for the yellow padlock on a website. But today all padlocks look the same despite the fact that there are significantly differing levels of trust associated with the lack or existence of identity authentication.

Lower-assurance server certificates do not authenticate the identity of the subscriber. Using current browser technology, it is very difficult for an Internet user to distinguish between lower-assurance server certificates and higher assurance certificates that provide identity assurance.

The result?

Loss of trust because of phishing - when identity can not be verified and a fraudulent web site is impersonating a legitimate business.

Certification Authorities (CA) like Comodo, VeriSign and others provide a key link in the Internet security chain since a Certification Authority acts as a trusted third party whose purpose is to securely sign Certificates for entities it has authenticated. Simply, a trusted third party is needed to validate the certificate. This third party is the certification authority.

CA's require highly evolved infrastructure and business processes to manage complex and variable environments including Public Key Infrastructure (PKI) services, validation processes, customer support, evolving security threats, database management and monitoring, user authentication and vulnerability identification. Further, these systems must support diverse stakeholder groups - consumers, enterprises, ISP's, browser providers and government agencies.

Therefore, CA's are a first line of protection for end user security and safety because CA's complete critical verification steps prior to certificate issuance. In general, an Internet user incurs a higher degree of risk if such verification steps are not performed (as is the case in low assurance certificates).

Without full authentication that a Certification Authority delivers, some identity assurance risks include:

1. No authentication of the organization's identity by the CA. A malicious individual could masquerade as an existing organization, deceiving users into believing that the fake site is in fact the "real" website whose name is included in the site's SSL certificate.
2. No check of the applicant's right to use the domain name by the CA.
3. No check of the organization’s existence by the CA. A malicious individual could pretend to be an organization even though no such organization exists (i.e., the organization has not been registered with the appropriate government authority).
4. No check of the applicant’s identity and authority to request a certificate for the organization by the CA. A malicious individual who is not authorized by the organization could obtain an SSL certificate bearing the organization’s name, allowing the malicious individual to masquerade as the organization.