6

Every time an SSL cert comes up for renewal, my provider tries to sell me an Extended Validation certificate. The big difference is the green address bar in FireFox and Safari for quadruple or quintuple the cost.

Supposedly, the benefit (and reason for the green bar not shown in IE8 or Chrome) is deeper authentication of the requesting party. But I can detect little actual difference between Verisign's own minimum requirements (from their CPS) for all SSL certs (section 3.2.2):

At a minimum VeriSign shall:
• Determine that the organization exists by using at least one third party identity proofing service or database, or alternatively, organizational documentation issued by or filed with the applicable government agency or competent authority that confirms the existence of the organization,

• Confirm by telephone, confirmatory postal mail, or comparable procedure to the Certificate Applicant certain information about the organization, that the organization has authorized the Certificate Application, and that the person submitting the Certificate Application on behalf of the Certificate Applicant is authorized to do so. When a certificate includes the name of an individual as an authorized representative of the Organization, the employment of that individual and his/her authority to act on behalf of the Organization shall also be confirmed.

Where a domain name or e-mail address is included in the certificate VeriSign authenticates the Organization’s right to use that domain name either as a fully qualified Domain name or an e-mail domain.

and EV requirements (Appendix F14C):

(C) Business Entities
To verify a Business Entity’s legal existence and identity VeriSign verifies that the Entity is engaged in business under the name submitted by Applicant in the Application. VeriSign verifies that the Applicant’s formal legal name as recognized by the Registration Authority in Applicant’s Jurisdiction of Registration matches Applicant’s name in the EV Certificate Request. VeriSign records the specific unique Registration Number assigned to Applicant by the Registration Agency in Applicant’s Jurisdiction of Registration. Where the Registration Agency does not assign a Registration Number, the Applicant’s date of Registration will be recorded. In addition, the identity of a Principal Individual associated with the Business Entity is verified in accordance with Section 14(b)(4) of the EV Guidelines.

So:

1) Do EV certificates actually inspire more trust among users?

2) Do EV certificates actually help fight phshing/fraud/any of the things vendors list?

3) If they actually performed the minimum requirement, doesn't that include all the EV stuff? What am I missing?

sh-beta
  • 6,756
  • 7
  • 46
  • 65

6 Answers6

3

Six years on, and it's time to rewrite this sucker from the perspective of 2015 (and a lot more personal experience in the world of commercial CAs).

First off, as far as EV certificates inspiring trust, the answer is (still) "no, not really". Independent studies of EV certificates just don't show a meaningful impact amongst typical consumers. Peter Gutmann's book, Engineering Security, is largely an 800 page rant against CAs in general, and it has a lot of references to the (in)effectiveness of EV certificates in influencing safe user behaviour throughout the text, with the highest density in the section entitled "EV Certificates: PKI-me-harder" starting on page 72.

On the other side of the argument, the parties who have the most to gain from proving EV certificate efficacy (the CAs who sell them) can't come up with any compelling evidence, either. The "best" collection of EV case studies I could dig up is amusingly long on unfounded assertion and woefully short on any sort of useful data.

As for whether EV certificates actually do anything useful to fight fraud, I'll go back to Peter Gutmann again:

The introduction [...] of so-called high-assurance or extended validation (EV) certificates [...] is simply a case of rounding up twice the usual number of suspects — presumably somebody’s going to be impressed by it, but the effect on phishing is minimal since it’s not fixing any problem that the phishers are exploiting.

To put it another way, that you know, for sure and certain, that the site you're communicating with is "Honest Achmed's Drug Bazaar and Fishmarket, Inc", of Tashkent, Uzbekistan, doesn't say anything about whether Achmed is going to do the bunk with your credit card details and private information. An EV certificate also doesn't say anything useful about the security practices of the organisation: while ashleymadison.com uses a wildcard DV cert, it is (and was) entirely capable of getting an EV certificate, and everyone's private peccadillos would still be downloadable if they'd been running an EV cert all along.

Finally, for what it's worth, EV certificates are issued after (some) more validation beyond what is done for domain validated (DV) or organisation validated (OV) certs. What is being validated isn't actually all that important, but you can be reasonably sure that someone has gone to some reasonable amount of trouble to make the organisation named in the green bar appear to exist.

womble
  • 95,029
  • 29
  • 173
  • 228
  • 1
    I agree, but I hesitate to mark this as my chosen answer without some less anecdotal evidence. – sh-beta Oct 23 '09 at 17:52
  • Meh, choosing it anyway. Still open to a more complete answer, though. – sh-beta Oct 26 '09 at 16:52
  • Not sure what this answer has to do with EV certs, its more of a rant against bad security practices (I think)and actually states that what's validated isn't important (completely incorrect and misleading) – Jim B Sep 10 '15 at 01:01
  • Yes, what is validated by EV *isn't* important. If you have evidence to the contrary, I'd love to see it. Peter Gutmann is a well-respected expert in the field, though, and the book I referenced has a *lot* of references to primary sources. – womble Sep 10 '15 at 01:07
  • @womble you're arguing against a straw man **nobody asserts that having an EV certificate means you're good**. Similarly your passport doesn't mean you're a good person: however as a mechanism for knowing who you are it still has value. – mikemaccana Sep 10 '15 at 14:19
  • 1
    You can see what's verified here http://www.webtrust.org/homepage-documents/item27852.pdf If you don't think that preventing making site impersonation certificates to perpetrate MITM attacks is worthwhile, I'm not sure what you would consider important. As @mikemaccana mentioned certificate verification has nothing to do with security practices of the whole. It's completely unrelated, and if that's gutmann's assertion, well he's wrong. Looking at his homepage it's clear he's no fan of the most widely deployed cert based transport layer security system (which he claims isn't widely deployed) – Jim B Sep 10 '15 at 19:22
  • First part of the OP's question: "Do EV certificates actually inspire more trust among users?" Also, the research is fairly clear in showing that the word "certificate", amongst ordinary users, has a different meaning to that which is used within X.509. Finally, **the CAs own case studies** make the assertion that "having an EV certificate means you're good", as does much of the EV marketing. The word "trust" comes up a lot, and what conclusion are consumers supposed to draw other than "EV certificate == trustworthy"? – womble Sep 10 '15 at 20:47
  • @womble which case studies make the assertion that an EV certificate is proof of a company's goodness? Please provide a link. – mikemaccana Sep 12 '15 at 15:55
  • The first case study in the list of case studies I linked to in my answer provides a wonderfully textbook example: "By upgrading to EV, we've been able to give our customers an obvious signal that it's safe to buy from us". Note that they don't say, "that they know who they're buying from", but "**an obvious signal that it is safe to buy from us**". – womble Sep 12 '15 at 21:54
  • @womble, that's exactly what it means- you are now in a place where you can safely buy. Your connection to shady company Alice has not been compromised. It does not say that it is a place you should do business. They might have shady security- but that's the users choice. I can't find any reference to an implication of company security-just connection security, and frankly that's all that matters since there isn't an agreed upon, definititive standard that's worldwide. – Jim B Sep 13 '15 at 01:51
  • OK then, [Humpty](http://thinkexist.com/quotation/when_i_use_a_word-humpty_dumpty_said_in_rather_a/214617.html). – womble Sep 13 '15 at 04:17
3

Most of the answers here have both sides covered, but I figured I'd chime in (eventhough, as I work for Thawte, I may also be taken "with a grain of salt"). EV SSL works splendidly to solve a very serious problem -- verifying the identity of websites and encrypting connections between them, which cuts down on phishing significantly -- but oddly enough most discussions are less about whether or not it works and more about whether or not people will notice. And due to skepticism surrounding consumers' recognition of the technology, some sites have opted out of EV -- despite the fact that most IT professionals are arguing that widespread encryption will be the only way to maintain a secure internet, and when a good deal of what EV SSL does in the first place is to educate consumers so they can discern between fake and real sites (the green url bar, etc). So it's a catch 22. Consumers will never learn unless they get their hands on technology like EV, and learn that stuff like padlocks and CAs really aren't all that inaccessible to the layman, but since they aren't educated enough to tell the difference at the moment EV is avoided as a money trap. This is a shame, because studies have shown that EV can reduce the amount of abandoned shopping carts and other obstacles to conversion (not only in the VeriSign study but in other independent 3rd party studies). And, of course, everyone needs some kind of encryption.

My advice: most companies offer a 30-day trial of EV or some such. Try it out and maybe run a few casual surveys with your customers to see how they respond. That should give you a better sense of whether or not it's a good investment for you personally.

2

The idea was that Certificate Authorities would spend the money you paid for a certificate to make you you actually were who you said they were, by checking official records and fun things like that. They soon realised they could make more money if they didn't do as many checks, and many just check that you can receive email to the domain you're creating a certificate for. Then a bunch of people got together and said "well, you're not really doing the job you were meant to be doing" and the CAs came back and said "well why don't we create EV certificates, which we'll do more rigorous checks on, like we were originally meant to", so now you have standard certificates and EV certificates, which have had more rigorous identity checks performed. The browser makes it clear that these new certificates are different, presumably so people who've bought an EV certificate can feel they've got something worthwhile for their extra money.

But in the end, most people don't have a clue about security or encryption and as long as they see a padlock they assume they're secure. Yes an EV certificate is better, but most people wouldn't know the difference.

For technical people, I think you can consider normal certificates good for encryption only, and EV as encryption with better authentication.

David Pashley
  • 23,151
  • 2
  • 41
  • 71
  • +1 Just like the rest of the CA business, the EV thing is a ripoff. – janneb Oct 22 '09 at 08:02
  • 1
    I think the high cost of certificates has a benefit, in that it stops casual impersonations. – David Pashley Oct 22 '09 at 08:31
  • 3
    There *is* a real value to EV certificates: They actually tell you the *real* name of the person/entity behind the site you are connected to, versus just making sure you are connected to the URI you wanted to connect to. So, it will e.g. also protect you from mistyping the URI. However, few people understand the distinction. – sleske Oct 22 '09 at 08:54
  • But EV doesn't seem to do any deeper authentication checking than non-EV - they claim that, but compare sections 3.2.2 and Appendix F14C of http://www.verisign.com/repository/CPSv3.8.1_final.pdf and EV is the same thing in different lingo. Moreover, browsers supposedly make the difference clear - but neither IE8 nor Chrome give any visual indication of an EV cert. Firefox and (I think) Safari do, but that's a big chunk of users who don't see anything different. – sh-beta Oct 23 '09 at 17:51
  • @sh-beta That's incorrect. A Certificate Policy Statement is part of webtrust and covers the full requirements for all types of validation including EV. Of those requirements, *only* the baseline requirements apply to domain validated certificates (ie, proving you own a domain). – mikemaccana Sep 10 '15 at 14:23
1

I do not think anyone will ever consciously think to mention it to you, but we used to have a lot of customers who would ask us to create private listings on eBay for items because they felt safer doing business there. In reality we've been in business for 15+ years, are nearly the largest vendor in the world for our product, and yet, we have a specialized market and therefore not a lot of recognition with new customers.

The point of an EV is just so that consumers know you're not just some fly-by-night website put up by Joe Conman, but rather, that you're an actual business, doing business in a regular fashion, with known and registered location and identities. That's not a small deal for a lot of people.

Ultimately, if EV works, it'll be somewhat transparent, but it'll mean more people finish their purchases because they feel more secure (and rightfully so).

Rob_vH
  • 111
  • 1
1

We purchased an EV cert. I've NEVER had anyone tell me they were glad we had it. I'd be willing to bet that the majority of internet users would enter all of their information on a non-secured site and wouldn't even notice if it was secure or not.

GregD
  • 8,713
  • 1
  • 23
  • 35
  • That's a pretty bold assumption to make. Users are pretty careful when it comes to putting in their details, it's just the many inexperienced Internet users that make it seem like everyone with a credit card is an idiot. – gekkz Oct 22 '09 at 09:11
  • 3
    You don't support end-users then? ;) – GregD Oct 22 '09 at 17:24
  • 1
    @gekkz: You don't think that "the many inexperienced users" don't constitute a majority? – womble Oct 23 '09 at 23:20
1

Well, hard to tell. Probably most users don't really understand the difference to regular certificates, though the green bar will usually be noticed, and some might get a feeling that it is "safer".

There is a study here: http://www.verisign.com/static/040655.pdf on the effects of EV certs on web users. It seems to have a noticeable effect in that study, e.g. 59% of users said they'd become suspicious if a site that used to have a green address bar stopped having one.

However, the study is commissioned by Verisign, so take it with a grain of salt.

I would say that for most people EV probably does not matter, but to those for whom it does, it will be a point in your favor. So if the cost is not prohibitive for you, get one.

sleske
  • 9,851
  • 4
  • 33
  • 44