Web Hosting Basics – Extended Validation SSL Certificates
In 2005, a group of leading certification authorities (CAs) and Internet browsers came together to establish a more rigorous and harmonized approach to online SSL security.
Known as the CA / Browser Forum, the group decided a standardized Secure Socket Layer (SSL) method was needed, to prove a website's authenticity across all browsers, for all CAs and for all Web users. In January 2007, new Extended Validation (EV) SSL certificates were at last released worldwide, and are expected to greatly enhance eCommerce and boost the confidence of online shoppers everywhere.
Wayne Thayer, Vice President of Development for GoDaddy – a world leading SSL Web hosting provider, domain registrar and major member of the CA / Browser Forum – told TopHosts that the aim of EV SSL is to provide a much needed, unvarying way of ensuring legitimacy online.
"There were a number of major players that felt we needed to create some sort of standard we could bring to the marketplace," Thayer said. "A certificate that meant the same thing no matter where you bought it from."
Up until the launch of EV SSL, Thayer explained many different levels of SSL certificates could be obtained, but none really goes beyond WebTrust – a seal awarded to sites that adhere to certain business standards. Many different types of SSLs, like GoDaddy's Turbo SSL and High-Assurance SSL, for example, provide great protection and online assurance, but may not abide by the same rules and regulations of other CAs and Web hosting providers. There is simply no uniformity among them, and they do not address growing concerns regarding phishing, a form of Internet fraud that aims to steal valuable information such as credit cards, SSNs, IDs and passwords, through fake websites.
With EV SSLs, all CAs must adhere to the same security standards when processing certificate requests, while visitors to EV SSL-secured sites can trust that the online organization has undergone the same universal authentication process.
"The EV vetting process creates a very strong tie between the organization that is named in the certificate and the actual real world organization," Thayer said. "… EV SSL has a number of additional steps that make it much more difficult for fraudsters to perform phishing and pretending they're something they're not."
The CA / Browser forum outlines a new EV SSL vetting process, which validates elements such as, the legal existence of the site, the legal name of the entity, a registration number, right to use the domain name, along with other legal indications. To apply for an EV SSL, the business must present a letter from an attorney or an accountant. The process verifies the organization's identity, the validity of the request and the overall legitimacy of the business.
Unlike the standard padlock icon method used for all other SSL certificates, browsers with EV support will display a green address bar and a special label, which names the website owner and the CA that issued their certificate. This visual tool is especially useful for domains considered to be a high-risk target of phishing and other fraud schemes. Banking sites, auction sites, retailers and other financial services can better communicate their legitimacy to users, allowing visitors to confirm that any online information they volunteer is safe and protected by EV.
Currently, only Internet Explorer 7 and Opera 8 browsers are EV-ready and support the new visual indicators. Mozilla and Safari are known to be committed to supporting the concept of EV, with Firefox expected to implement it in their version-3 release.
So far, Thayer says adoption of EV SSL has been slow, but exactly what was expected. Larger eCommerce sites are taking to it more quickly, as they recognize its potential for combating phishing. But it may take longer for it to take off within the smaller business community.
Currently, the standard requires companies to be incorporated to qualify for EV, which severely limits adoption by smaller entities wanting the universal assurance EV SSLs offer. Thayer explained the difficulty behind implementation of EV SSL with smaller businesses, as they do not maintain the same official documentation corporations do.
Instead, smaller businesses identify themselves through primarily state-level and local files, making it harder to apply them to the universal EV SSL approach. But Thayer says GoDaddy and the CA / Browser forum are working to establish EV SSL security for the smaller business community, in the near future.
Yet, as IE 7 becomes more widespread and as more SSL certificates begin to expire, companies will likely consider the advantages of EV and take on the new certificates.
"I think as you see Internet Explorer 7 gain more transaction and as more begin to see and recognize the green address bar, we'll see more adoption of these certificates," Thayer said. "It's too early to tell right now, it's only been a couple of months, so if most SSLs expire within a couple of years of issue … we'll see a major of sites rolling over to EV by January 2009."