Extended Validation Secure Certificates

The security of data in transmission between the user and the website is only part of an SSL certificate’s purpose. Equally important is the confidence that you really are dealing with who you think you are.

Traditionally, browsers showed the user that they were dealing securely by the display of a “padlock” symbol at the bottom of the window and ‘https’ in the address bar. For a site to display both of these without the browser generating a warning it needs to have been issued an electronic “Certificate” by an authority that the web browser trusts (Certificate Authority, also known as a CA). Prior to the issue of a certificate, the CA would verify that the domain name in question was indeed owned or controlled by the organisation requesting the certificate. Consequently the certificate provided an assurance that you were dealing with the organisation you believed you were, as well as that information you exchanged was being transmitted securely.

As time passed, the quest to offer lower prices led some CAs to offer so-called “domain-validated” certificates. The only validation performed on these is that the person requesting the certificate has access to email sent to the address on the domain’s registry record. In effect it became cheap and easy for any domain name owner to acquire an SSL certificate with a minimal level of validation.

This led to the average user being unable to differentiate between a Certificate issued with the traditional higher levels of organisation validation and those issued with minimal validation. The industry’s solution to this problem is the introduction of Extended Validation (EV) Certificates, along with new mechanisms for browsers to indicate to users that the site is using an EV certificate.

Before issuing an EV certificate the CA must perform strict validation on the request. For example they must verify the legal existence of the organisation requesting the certificate, their ownership of the domain name in question and that the organisation has indeed made the request. Consequently visitors to an EV-certified website can have a high level of confidence that they are dealing with the organisation that they believe they are, in addition to the assurance that data is being transmitted securely.

The display of a certificate’s EV status is supported by Microsoft Internet Explorer 8, Mozilla Firefox 3.5, Safari 3.2, Opera 9.5, and Google Chrome. Older browsers cannot distinguish between an EV and lesser-validated certificates. Browsers vary in the way that they show the user that an EV certificate is in use – for example Internet Explorer displays a green address bar and Firefox displays a green button beside the address bar. As user awareness of Extended Validation Secure Certificates increases it will become more important to have one to show your visitors that they can have confidence when dealing with your website.

To discuss your secure certificate needs further please contact us about secure certificates.

Recommended Posts