Introduction
From the server administrators of highly technological organizations, to product managers of financial institutions, down to the one man startup companies that just want to secure their shopping cart, at one stage or another, the same question pops-up: “They all do the same thing, what should we get?”
Fundamentally all SSL certificates do the same thing, encrypt information during SSL/TLS negotiations. Correctly installed and configured, both https:// and the padlock will show.
However picture this:
You want to buy smart phone online. You see three sellers offering the phone at different prices:
US$250 – Zero star rating – no comments
US$375 – Three star rating - with 50% of comments such as “it arrived late”, “It was scratched” and other 50% of the comments, “ok service” and “arrived on time”.
US$400 – Five star rating – with only good comments: “excellent service” and “fast and reliable”.
Which seller will be most likely to deliver the goods to you on time? The one offering $400?
Why? The comments from previous buyers formed a conscious or sub-conscious decision in your mind. The decision is based on “Trust”. They have been authenticated by real people.
Anyone that purchased from the first two sellers most likely would base their decision on both price and luck (“Maybe I would not be unlucky”).
Here’s another scenario: A hooded man walks out from a dark alley and offer you a brand new IPhone 6, still in its box for US $50.
Do you feel lucky today?
Owning a Certificate
Before requesting a certificate, most security administrators would have done their analysis homework. Is it for internal or public use? What is the user base and their method of use? What operating system and server software are involved? What systems will be impacted? What are the security policy requirements?
Beyond the technical specifications often a key question is neglected, the question of User Trust. Owning an SSL certificate it is not only about the functionality, or the key size, but rather as the Thawte motto goes, “It’s a trust thing”.
Today there are three types of certificates that offer 3 levels of user trust for SSL/TLS negotiations: Domain Validated certificates (DV), Organization Validated certificate (OV) and Extended Validation certificates (EV).
Domain Validated Certificate
Domain Validated certificates are certificates that are checked against domain registry. There is no identifying organizational information for these certificates and thus should never be used for commercial purposes. It is the cheapest type of certificate to get, but this is a high risk certificate use on a public website. It is comparable to the “hooded man” or the zero star rating sellers. Visitors to a website with DV certificates cannot validate, via the certificate, if the business on the site is legitimate and thus often DO NOT trust this type of certificate. It is recommended using these types of certificates where security is not a concern, such as protected internal systems.
This is an example of a DV certificate via Internet Explorer:
Details of the certificate subject: CN = www.domain.com
Organization Validated Certificate
Organizational certificates are Trusted. Organizations are strictly authenticated by real agents against business registry databases hosted by governments. Documents may exchange and personnel may be contacted during validation to prove the right of use. OV certificates therefore contain legitimate business information. This is the standard type of certificate required on a commercial or public facing website. OV certificates conform to the X.509 RFC standards and thus contain all the necessary information to validate the organization.
Details of the certificate via Firefox:
Details of the certificate: CN = www.domain.com, O = Company Name, OU = Information Technology, L = San Diego, S = California, C = US
Extended Validation Certificate
Nothing provides more trust and security than Symantec Extended Validation Certificates. It is used by most of the world’s leading organizations. They have found that switching from OV to EV certificates increases online transactions and improve customer confidence. It is no longer a luxury but a necessity.
“An important motivation for using digital certificates with SSL was to add trust to online transactions by requiring website operators to undergo vetting with a Certificate Authority (CA) in order to get an SSL certificate. However, commercial pressures have led some CAs to introduce ‘domain validation only’ SSL certificates for which minimal verification is performed of the details in the certificate.
Most browsers' user interfaces did not clearly differentiate between low-validation certificates and those that have undergone more rigorous vetting. Since any successful SSL connection causes the padlock icon to appear, users are not likely to be aware of whether the website owner has been validated or not. As a result, fraudsters (including phishing websites) have started to use SSL to add perceived credibility to their websites.” – Wikipedia.
EV certificates reinstate the trust users have for a secured web site. The criteria for issuing EV certificates are defined by the Guidelines for Extended Validation and provide a vetting process that is much stricter than that for OV certificates. Apart from improving trust and confidence via the strictest authentication process, EV certificates triggers a visible Green Bar on modern browsers to distinguish the secured site apart from others. The combination of Symantec’s world trusted strict validation procedures, the Symantec/Norton Seal and the Green Bar provides the highest degree of trust amongst consumers. It is extremely difficult to impersonate or phish an EV enabled site as even if web content can be duplicated, the Green Bar cannot be triggered without a trusted EV certificate.
Browsers that support EV Green Bar:
Google Chrome, Internet Explorer 7.0+, Firefox 3+, Safari 3.2+, Opera 9.5+
Immediately when accessing a secured EV enabled site with one of the above browsers, the following can be seen:
(EV Green Bar cannot not be triggered by DV or OV certificates)
Detailed certificate information:
Visitors viewing details of the certificate will find more information about the organization than a DV or OV certificate:
Symantec Certificate policy required for the Green Bar:
[1]Certificate Policy:
Policy Identifier=2.16.840.1.113733.1.7.23.6
Consumer Awareness
EV is good. It does work. Have a look at some of the success stories clients have at Symantec EV Success. The discoveries of vulnerabilities and increase in organized cyber-attacks in the recent years have made consumers more and more aware of security and SSL. More and more consumers look for the Green Bar and the Symantec Seal when doing online transactions. Extended Validation goes beyond security. It has become the baseline for any reputable site that care about security, brand and their clients.
EV makes a difference. It has proven advantages over sites that do not have EV. Not all organizations are feasible to receive an EV certificate. However sites that switched from standard OV to EV have experienced 5 – 28% increases in web traffic and sales volumes. Commercial web sites cannot settle for anything less than EV status if they wish to stay competitive.
What certificate to choose? Go Green. Green is good.