The Internet was not designed with millions of daily commercial transactions in mind. In fact, security was not a big priority when the Internet’s design plans were coming together. A distributed infrastructure, scalability, and stability were all much more important. When the need for encrypted, secure communication became necessary due to the rise of e-commerce, a trusted encryption solution had to be implemented. Secure Socket Layer (SSL) Certificates began to be used and issued by Certificate Authorities (CAs). These CAs could be queried by a user’s web browser to ensure that the certificate was authentic and that the website was somewhat official. Although this system worked, it had one major flaw: someone could easily purchase a CA signed certificate and use the certificate to a malicious end, appearing as if they were a trustworthy party. This is where, in 2008, WebTrust released a new X.509 certificate standard that could provide a more trustworthy browsing experience. The new standard was called Extended Validation (EV) and it quickly integrated into the web as many browsers already supported the move for a more secure certificate.
EV SSL Certificates
EV SSL certificates require a more extensive process than their CA signed counterparts. To obtain an EV SSL certificate, a consumer needs to provide proof that they own the website they want to use the certificate for and that they are actually who they claim. The standard is backed by WebTrust and requires companies to physically review each application for an EV SSL certificate. The same authorities used to purchase the certificate can also be queried by users to discover revocations and other pertinent information about the certificate. Each certificate is also signed by an Object Identifier (OID) that will tell a user’s browser which authority to ask for information about the certificate.
It should be said that although this greatly improves the validity of the certificate, many security researchers still complain that the major problem with certificate distributors in general is the lack of accountability when they issue certificates. Additionally, many small business owners find the pricing of EV SSL certificates cuts them out of web commerce. Larger websites can afford the EV SSL certificates while smaller vendors can only afford the basic signed SSL certificates, making them appear to be less trustworthy than their larger competitors. Finally, many claim that the lack of public knowledge about security features makes users vulnerable to phishing attacks. The security of any SSL certificate relies on the user actually knowing how the system works. This is an inherent weakness with most security policies.
EV SSL in Firefox
In most browsers, including Mozilla’s Firefox, an EV SSL certificate will be identified and a secure connection will be established automatically by the browser. The browser’s address bar will then turn green to show that the website is using an EV SSL certificate and not just a regular CA signed certificate. In Firefox, just the website’s icon and the name of the website will turn green in the address bar. To view the certificate, users can simply click the icon and click the “More Information” option to look over and verify that the website’s identity matches what the certificate says.
All screenshots by the author.