SSL/TLS Certificates

What are extended validation certificates? And are they dead?

SSL certificates are used for encryption and validation. Encryption ensures that traffic cannot be tampered with by eavesdroppers and enhances the confidentiality and integrity of the information in any transaction. Validation ensures that the two communicating parties are actually who they say they are.

The need for enhanced identity verification drove the CA/Browser (CAB) Forum to create the Extended Validation Certificates (EV Certificates for short).

That sounded like a mouth full. But here’s what they look like.

Extended Validation Certificates- Green Bar-1

However, I haven’t seen a web browser certificate like this in a long time. As Troy Hunt points out, EV certificates are probably dead and they aren’t even used by the top ten websites on the internet.

And although the use of EV certificates has starting to lose steam, you can still buy EV certificates from some of the major public certificate authorities. Let’s dive in to understand what they are and if EV certificates are worth their premium investment.

What are EV certificates?

An EV certificate is the highest level of SSL certificates. All SSL certificates – Extended Validation (EV), Organization Validated (OV), and Domain Validated (DV) – provides encryption and data integrity. However, they vary in how strict the process is to verify the identity of the website owner. An EV certificate provides the highest level of digital identity assurance by verifying the legal identity of a website owner.

According to the Guidelines for the Issuance and Management of Extended Validation Certificates the primary function of an EV certificate is to:

Identify the legal entity that controls a Web site: Provide a reasonable assurance to the user of an Internet browser that the Web site the user is accessing is controlled by a specific legal entity identified in the EV Certificate by name, address of Place of Business, Jurisdiction of Incorporation or Registration and Registration Number or other disambiguating information.

Confirmation of the website’s identity is carried out according to the rigorous CAB Forum guidelines and involves a strict vetting process by a public Certificate Authority. The Certificate Authority must validate the operational and physical identity of the individual requesting an EV certificate. This is done by confirming the legal identity of the site owner and that the applicant is the owner and the sole controller of the domain. Because of the vigorous process of the website owner identity verification, an EV certificate provides a high degree of trust for the website visitors.

Prior to autumn 2019, a visitor to an EV validated website could distinguish this site by either the website name in green text or on a green bar that displayed the legal name and geographic location of the company that owned the certificate. However, starting from that period, both Mozilla Firefox and Google Chrome removed that indication. All SSL certificates display now a grey padlock in the browser address bar.

If you want to know if the site uses an EV certificate, you need to now click on the grey padlock to investigate.

Extended Validation Certificate - No Green Bar

What are the use cases?

While the EV certificates are more expensive to acquire and the verification process is more difficult and time-consuming than for the rest of the SSL certificates, they present some tangible benefits.

First, they can make the lives of social engineers more difficult. Phishing sites impersonating legitimate organizations and businesses is a major threat to users and online services and is one of the key vectors for stealing or compromising sensitive and personal data. Criminals can buy rather cheap DV certificates on the dark market to make their sites look legitimate and trustworthy and lure unsuspecting victims into unwittingly submitting financial or other personal information.

Rogue and phishing websites are a growing problem and emphasize the need for strong online identity verification. Visitors need reasonable assurance of the identity of the business they are dealing with, to build and maintain trust with that business and feel safer conducting online transactions. EV certificates can protect business customers from falling victims to phishing attacks by displaying the site operator’s verified identity directly in the certificate.

Except for protection against phishing, EV certificates are a great way to showcase compliance with security and privacy requirements enacted in various regulations, laws, and acts. HIPAA, PCI DSS, and GDPR require that companies protect their customer’s medical, financial and personal data against breaches. EV certificates can help businesses ensure a successful audit against these requirements.

Despite the above benefits, EV certificates are not for everyone. Organizations need to examine the added value of these certificates. They are best for high-profile websites that attackers commonly target for phishing attacks such as major retailers, banks, financial institutions, or public-facing government entities. In fact, any website collecting data, processing logins, or online payments can benefit from displaying their verified brand identity. EV certificates can be used in all applications that require stronger identity assurance and a high level of trust.

Benefits of EV over DV certificates

Domain Validated certificates (DV certificates for short) are the most basic form of SSL certificates. They are cheap to obtain, and the issuing process is fast. The verification process confirms that the domain is controlled by the party requesting the certificate. The CA either confirms the domain address by looking up the WHOIS record or provides a verification file that the owner places on the website to be protected, or the applicant creates a DNS record verifying control of the domain.

DV certificates do encrypt the traffic, just like any other certificate does, but the level of identity verification is low. The benefit of EV certificates over the DV certificates is on the level of identification. DV certificates verify the identity of the server, while EV certificates verify the legal organizational identity of the website. If we add the poor certificate management procedures that result in compromised or stolen certificates, it becomes more difficult to distinguish a valid DV certificate from a rogue one. On the other hand, it is rarer to find stolen EV certificates in the dark market and if you do, these are way more expensive than stolen DV certificates.

However, it all comes down to the human factor. An EV certificate means that the domain is owned by a registered legal entity. It does not mean that site is de facto and de jure trustworthy. In2016, Troy Hunt pointed out correctly, that the effectiveness of EV certificates depends on how people and organizations realize their value and act to protect them. Flash forward a few years later, and he’s thinking the days of using EV certificates are gone.

Nevertheless, if EV certificates are to be successful it requires technical controls for managing their lifecycle that can be enforced without relying on the user.

This is where certificate lifecycle management automation comes in handy. Keyfactor lets you discover, manage, and automate every certificate across your enterprise. The platform helps you shift from reactive response to proactive visibility and automation with an end-to-end automated public key infrastructure (PKI) and certificate management solution.

Ryan Yackel

VP, Product Marketing