Green indicator in address bar -- EV

Posted by & filed under List Posts.

While a secure sockets layer (SSL) certificate may seem to be a piece of paper, it is actually a file connecting its holder with a public key that allows for cryptographic data exchange. Recognized industry-wide as a standard security component, SSL use is also a ranking factor that assists with search engine optimization (SEO). The core function of an SSL cert, though, is to provide encryption to site pages for which they are configured, populate the https protocol, and introduce lock icons in browsers to indicate secure connections. Certificates can be validated to various degrees – and this validation provides a completely different, administrative layer of security to complement the technical security.

Certification authorities & SSL validation categories

A certification authority (CA), also called a certificate authority, grants applications for these certificates. A CA is an organization that has been authorized to issue SSL certificates. In their issuance of SSL certificates to allow for authentication of information delivered from web browsers to servers and vice versa, CAs are core to the public key infrastructure (PKI) of the Internet.

The three basic types of SSL certificates from a validation perspective are domain validation (DV), organization validation (OV), and extended validation (EV). This article outlines the basic, core differences between the three validation levels in brief and then further addresses the parameters of each level.

Nutshell differences between DV, OV & EV

While the types of validation that you can get for a certificate vary, the technology is fundamentally equivalent, following the same encryption standards. While the various SSL validation types represent the same technology, the validation that ensures legitimacy of the certificate varies hugely between the three:

  • Domain Validation SSL – You can get these DV certificates very rapidly, partly because you do not have to send the CA any documentation. The CA from which you order the certificate simply needs to verify that the domain is legitimate and that you are its legitimate owner. While the only function of a DV cert is to secure the transmission of data between the web server and browser, and while anyone can get one, they do help prove to your visitors that you are the site you claim to be while also building trust.
  • Organization Validation SSL certificates – A step up from domain validation is the OV certificate, which goes beyond the basic encryption to give you stronger trust about the organization that controls the site. The OV cert makes it necessary to confirm the owner of the domain, as well as to validate certain information about the organization. In this way, the OV cert provides stronger security that you can get with a DV cert.
  • Extended Validation SSL certificates – The highest level of validation and most expensive of SSL is the EV certificate. The browsers acknowledge the credibility of an EV cert and use it to create a green indicator in the address bar. You cannot be granted or install an EV certificate until you have been extensively assessed by the CA. The EV cert has a similar focus to the OV cert, but the checking of the company and domain is much more rigorous. To successfully apply for an EV certificate, you must submit to a robust validation procedure that verifies the genuineness of your organization and site thoroughly prior to issue.

In the case of a compromise, your insurance payout will also generally be higher for an EV certificate than for OV and DV, since there is better security baked into the EV process (rendering a compromise less likely).

Domain Validation – affordable yet less trusted

The DV certificate is the most popular certificate, so it deserves our attention first as we consider strengths and weaknesses of this low-end certificate.

Pros:

  • You can get one very quickly. You do not need to give the CA any additional paperwork in order to confirm your legitimacy. It typically only takes a few minutes to get one.
  • The DV certificate is very inexpensive. They are typically issued through an automated system, so you do not have to pay as much for one.

Cons:

  • The DV certificate is less secure than certs with higher validation levels since you are not submitting to any real identity validation. The ease exposes you to potential fraud: an attacker could conceal who they are and still get issued a DV cert – regardless if they poison your DNS servers.
  • When a DV certificate is installed, since there is no effort to vet the company, you are less likely to establish trust with those who visit your site.
  • Since DV certificates do not yield as much trust, people who use your site might not feel inclined to give you their payment data.

Organization Validation – beyond the domain check 

While a DV certificate simply connects a domain and owner, that quick-and-dirty issuance process does nothing to check that the owner is a valid organization. OV is a step up by ensuring that the domain is operated by an organization that is officially established in a certain jurisdiction. While these certificates also issue relatively quickly, you do need to go a bit beyond the simple signup process to get a DV cert since you must do more to prove the correct identity of your firm.

The certificate will present your company details in the certificate, listing your company’s name; fully qualified domain name (FQDN); nation; state or province; and city.  

Extended Validation – premium assurance

The Extended Validation certificate, as its name suggests, involves much more rigorous checking to confirm the legitimacy of the organization, in turn providing a significantly better browser indication that the domain can be trusted. You will need to wait to get an EV in place (in which case you could use a rapid-issue DV certificate initially and then replace with an EV certificate once validated).

EV is bound by parameters determined by the Certification Authority Browser Forum (CA/Browser Forum), a voluntary association of root certificate issuers (consortium members that provide certificates issued to lower-authority CAs); certificate issuers (organizations that directly validate applicants and issue certificates); and certificate consumers (CA/B Forum member organizations that develops browsers and other software that use certificates for public assurance).

In order to provide the greatest possible confidence that a site is operated by a legitimate company, an EV SSL verifies and displays the organization that owns the site via inclusion of the name; physical address; registration or incorporation number; and jurisdiction of registration or incorporation.

By making validation of the company more robust, users of EV SSL are able to combat identity thieves in various ways:

  • Bolster the ability to prevent acts of online fraud such as phishing that can occur via bogus SSL certificates;
  • Offer a method to help organizations that could be targeted by identity thieves strengthen their ability to prove their identity to site visitors; and
  • Help police and other agencies as they attempt to determine who is behind fraud and, as necessary, enforce applicable laws.

The clearest way that EV is indicated is through a green address bar. This visual cue of the security and trust level of a site signals to consumers who may know nothing about SSL certificates that the browser they are using approves of the site.

Maintain the trust you need

Do you need to keep your transactions and communications secure, whether for ecommerce, to protect a login page, or to improve your search engine presence? At Total Server Solutions, our SSL certificates are a great way to show your customers that you put security first. See our SSL certificate options.