What does an SSL* certificate do? Well, I am glad you asked. All an SSL certificate does is attempt to secure a connection from point A to point B. No more, no less. Cryptographically speaking, a self-sign, or Let’s Encrypt is no more or less secure than the most expensive certificate money can buy. So with this in mind – why on earth would you buy an EV (Extended Validation) SSL certificate for your website? This is an article about Extended Validation SSL certificates. It is all about one thing – customer confidence and knowing who is at the other end.
The following has been running as an advertisement on TV in the UK.
“…It’s a scam, if you order me you’ll get nothing. Look in there, you need a padlock when you pay for stuff. If there isn’t one, the website could be fake.”
Which technically speaking, I would take issue with. However – this is an effort to get Joe Q Public and Josephine Bloggs to pay attention to whether the site is secured before giving away any details. Sadly this is a half-truth at best. There is no guarantee of who you are dealing with at the other end**, not with a standard SSL anyway. You submit a CSR (certificate signing request), you-pays-your-money (or not), and you get a certificate. That is the end of it. There is little validation short of being able to receive an email for that domain, be able to create a DNS record or place a file on the website. The concept of Fake or Not Fake here is no guarantee – simply that the connection cannot be (casually) evesdropped.
This is where Extended Validation SSL‘s come in.
Those websites that have the company name after the padlock give you a far better sense of what and who you are connecting to, and that there has been a level of due diligence in the granting of a certificate. Certificates that include the company name have cleared the following hurdles:
– They have a valid company number that has been confirmed as active;
– The Dun & Bradstreet contact number for that company has been validated;
– Access to the email for that domain name registration has been validated;
– The application does not trigger any advisories in terms of their internal security needs.
After this has been completed – the way in which the address bar appears in the browser will change. After the padlock, the company name will be displayed and the country of registration. This is usually in green, (they are often referred to as GREEN BAR certificates because of this) however, keep in mind that themes can mean it will appear in other shades. We supply certificates from the CA’s GeoTrust, RapidSSL, Comodo, Symantec, Thawte, and Certum. Here is an example from Thawte showing roughly how these EV certificates will appear in various browsers:
The actual formal requirement for a CA (certificate authority) to issue an EV certificate can be summed up as:
“Establish the legal identity as well as the operational and physical presence of website owner”
“Establish that the applicant is the domain name owner or has exclusive control over the domain name.”
“Confirm the identity and authority of the individuals acting for the website owner, and that documents pertaining to legal obligations are signed by an authorised officer.”
So your customer KNOWS who they are dealing with. They are contactable, accountable, the real thing – as close as they are going to get to be assured the other party is who they say they are: “Not Fake“.
The effects on customer confidence are quantifiable – and this is why you would go to the time, trouble and expense of protecting yourself from a number of spoof attacks, and take your site seriously.. trust.
To find out more about these certificates – or indeed any certificate worries, compliance needs, or just plain old “where do I start?” questions – get in touch. Either by raising a ticket through firstname.lastname@example.org or email@example.com – giving us a call – or using the chat client over there on the left-hand side. We would love to hear from you.
* SSL is a broad brush term used for web page certificates. The terms of reference are PKI (Public Key Infrastructure) – and in reality sites these days should be delivering these certificates over TLS as opposed to SSL. They are not the same, but for the purposes of this article, they are interchangeable.
** Disclaimer – it is possible to perform a Man In The Middle attack if the site does not use HSTS/certificate pinning and a number of other generally nasty things.