Extended Validation SSL Certificates: a new standard to inspire trust, improve confidence

Authors: Manish Gupta

E commerce, banking business faces a crisis of a confidence. User trust in site security is declining and increase in number of internet user is scaling back their online transaction.

To gain user trust again in web and online transaction, CA authorities and CA/Browser forum, evolve a new trust level mechanism which is more user friendly. Here is a brief on “why SSL is losing identity promise in the today’s web model” and “How CA authorities and CA/browser trying to gain user trust”.

The Erosion of SSL’s Identity Promise:

Secure Sockets Layer (SSL) is the World Standard for Web Security. SSL technology confronts the potential problems of unauthorized viewing of confidential information, data manipulation, data hijacking, phishing, and other insidious.

In 1995 when SSL was discovered and introduces, a standard SSL Certificate provided adequate protection for consumers. Times have changed; web scams became more sophisticated and these traditional certificates may no longer be adequate.

According to a Gartner Report, that in 2006 41.2% of online adults in the U.S definitely received Phishing emails, 46%changed their purchasing and online behaviour as a direct result of security concerns and 10% reduced their online spending by at least 50%. As a result nearly $2 Billion in e-commerce sales were lost due to user concern over security.

In the beginning the promise of a standard SSL Certificate was enough. Today, however it is not. The reason in the architecture of authenticating the identity. While some CAs do a very good job of authenticating identity, others do very little or employ easily fooled practices. A site can even use a self-signed SSL Certificate with no identity authentication whatsoever.

To combat this problem, The CA/Browser Forum, consisting of over 20 leading Web browser manufacturers, SSL Certificate  providers, and Web Trust auditors) joined forces to create a new standard for web site identity authentication. After more than a year of effort, the CA/Browser Forum introduced the new Extended Validation (EV) SSL Certificate. This new standard is the most significant advancement for the World Wide Web’s secure backbone since SSL Certificates were first introduced over a decade ago.

Extended Validation SSL

Extended Validation SSL Certificates offer web sites a better method for assuring their visitors of their legitimate identity.

Extended Validation (EV) SSL certificates are the result of an industry-wide effort to help increase identity awareness and provide consumers with a higher level of trust while online. These new certificates require businesses to complete a thorough documentation process and verify current business licensing and incorporation paperwork, in addition to verifying that the entity named in the EV certificate has authorized the issuance of the EV certificate.

An EV SSL Certificate offers the e- commerce (on line business) and consumer a highly endorsed and widely recognized level of protection from increasingly sophisticated Internet spoofing scams.

EV SSL contains a number of user interface enhancements aimed at making the identification of an authenticated site immediately more noticeable to the end user. New high-security browsers display EV SSL Certificates differently than traditional SSL Certificates. Rather than the subtle padlock symbol displayed by traditional SSL Certificates, EV SSL Certificates trigger the browser address bar in high-security browsers to change to an eye-catching green colour.

How Extended Validation Works

The EV architecture has been designed to offer reliable Web site identity information to end consumers so that they can make the best possible decisions about which sites to trust. Achieving this mission has required modification to every component of the Web’s trust architecture. In addition to the new, highly understandable interface conventions, EV certificates owe their dependability to

1) Modifications in authentication procedures and
2) Real-time certificate checking.

1.  The first step is authentication. This procedure ensures that all information in the certificate is accurate and that the certificate requestor has the authority to obtain this certificate for this organization

The CA/Browser Forum carefully crafted the EV authentication guidelines over the course of more than a year to ensure that the results of authentication were reliable.

2. Real time certificate checking: Ensure the Once a certificate is issued, the next step is to ensure that the certificate presented to the customer accurately reflects what the CA discovered and that certificates purporting to meet the EV authentication standard actually do so. Certificate integrity is assured because every SSL Certificate includes secure hash functions and will not work correctly if tampered with in any way.

The EV infrastructure goes on to ensure that the certificate exists in good standing by using real-time certificate validity checking. This checking depends on two parallel infrastructures.

A.   First is OCSP: OCSP performs a real-time revocation check for each certificate so that if an EV certificate is compromised or for some other reason requires revocation, that certificate will not appear as valid on EV-compatible browsers.

B.  The second real-time service is the Microsoft® Root Store. A very simple metadata marker indicates each EV certificate’s status as such. To protect against the contingency that an unprincipled or incompetent CA might incorrectly issue certificates marked as EV certificates even though they haven’t undergone correct EV authentication, the IE7 browser performs a real-time check against the Microsoft Root Store to ensure that this SSL root is approved for EV certificates.

Because of this check, if a CA were to issue certificates with the EV marker even though that CA was not approved to issue EV certificates, those certificates still would not activate the green address bar and the other EV interface enhancements. Likewise, if an existing CA were to fail its annual audit or repeatedly issue incorrect certificates under the EV banner, Microsoft would then have the ability to remove that root from the list of approved EV roots in the Microsoft Root Store.

Browser Support for EV SSL

Microsoft, the first browser manufacturer to support this new standard, integrated the EV SSL interface enhancement with Microsoft IE7. Although relatively new to the market, IE7 has already garnered 31% of the browser market. Additionally, Firefox 2.0 users can download an extension that enables them to see the green address bar when they encounter a VeriSign EV SSL Certificate.

1. IE 7 Address Bar.

2.  SSL Padlock

3. IE 7 Security Status Bar, alternating displays the legal entity for this website  and CA identifying the legal identity

In addition to changing the Address Bar shading, EV certificates display details about the business, such as location for incorporation and country. Figure 2 provides an example showing the Microsoft Corporation and the country Redmond (US).


Microsoft – http://www.microsoft.com

Certificate Authority Websites