2

Or are they just an attempt to get you to pay more money to a CA because it tells your browser to show the address bar in green with your organization's name?

Twitter, with an EV certificate

Also, what are the technical details of EV certificates? What exactly makes a certificate contain EV in the certificate's details?

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
Phoenix Logan
  • 502
  • 2
  • 13

3 Answers3

4

That EV certificates are "more secure" is definitely the message that the EV-Qualified CA are trying to assert -- this is how they justify that the EV certificates have higher prices. Whether EV certificates really improve the security situation is debatable. See for instance this criticism from Peter Gutmann (quoted on the Wikipedia page):

The introduction ... of so-called high-assurance or extended validation (EV) certificates that allow CAs to charge more for them than standard ones, is simply a case of rounding up twice the usual number of suspects - presumably somebody’s going to be impressed by it, but the effect on phishing is minimal since it’s not fixing any problem that the phishers are exploiting. Indeed, cynics would say that this was exactly the problem that certificates and CAs were supposed to solve in the first place, and that “high-assurance” certificates are just a way of charging a second time for an existing service. A few years ago certificates still cost several hundred dollars, but now that the shifting baseline of certificate prices and quality has moved to the point where you can get them for $9.95 (or even for nothing at all) the big commercial CAs have had to reinvent themselves by defining a new standard and convincing the market to go back to the prices paid in the good old days.

This deja-vu-all-over-again approach can be seen by examining Verisign’s certificate practice statement (CPS), the document that governs its certificate issuance. The security requirements in the EV-certificate 2008 CPS are (except for minor differences in the legalese used to express them) practically identical to the requirements for Class 3 certificates listed in Verisign’s version 1.0 CPS from 1996. EV certificates simply roll back the clock to the approach that had already failed the first time it was tried in 1996, resetting the shifting baseline and charging 1996 prices as a side-effect. There have even been proposals for a kind of sliding window approach to certificate value in which, as the inevitable race to the bottom cheapens the effective value of established classes of certificates, they’re regarded as less and less effective by the software that uses them...

The theory is that EV certificates are issued only after more thorough verification of the requester identity, so EV certificates should be safer in the following sense: it is harder to get a fake one. On the other hand, it seems that existing attackers don't really bother obtaining fake SSL certificates anyway, so the increase in safety is, indeed, theoretical.

In practice, the need for an EV certificate (as opposed to a non-EV certificate) for your server does not come from a real need for security, but from a real need for a green bar. It is all about convincing customers that spending their money on your site is "safe".

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • EV certificates also check revocation more thoroughly (http://news.netcraft.com/archives/2013/04/16/certificate-revocation-and-the-performance-of-ocsp.html), although that may not entirely be a strong security mechanism (https://www.imperialviolet.org/2014/04/19/revchecking.html). – JZeolla Jun 19 '14 at 17:37
0

EV certificates are more secure than regular ones, because whilst ordinary certificates are validated against the full list of root certificates in the web browser, Extended Validation certificates are only checked against a more limited list of certificates that are allowed to sign EV certificates.

However, this does not work as expected in all browsers. Specifically, whilst Chrome and Firefox implement this correctly, Internet Explorer allows the installation of certificates which can be displayed as EV, even though, in reality, they are not.

user2428118
  • 2,768
  • 16
  • 23
  • What version of IE? If it's something really ancient like 8 or below, you're either on Windows XP, which isn't going to last much longer, or you're on Windows 7 and haven't updated ever (which is supposed to be automatic anyway). – Phoenix Logan Jun 19 '14 at 12:42
  • @PhoenixLogan The versions of Windows / IE to which this has been added are listed here: http://blogs.technet.com/b/askds/archive/2009/08/14/extended-validation-support-for-websites-using-internal-certificates.aspx – user2428118 Jun 19 '14 at 15:15
0

While user2428118 is correct that there are fewer vendors that provide EV certificates that really doesn't make any difference in the security.

The connection is encrypted equally well using a standard certificate (assuming the same key size, etc). Extended validation is there for the people level, not the technology. It provide users and management with a warm fuzzy feeling. Some organizations worry about it. For the most part I only advocate it on sites that will take credit card details.

See my answer below for more details.

Is there any technical security reason not to buy the cheapest SSL certificate you can find?

Tim Brigham
  • 3,762
  • 3
  • 29
  • 35