SSL Certificates: Extended Validation Worth the Cost?
Internet users interact with SSL certificates when they access a web page or transmit data over the web. These certificates help confirm the rightful owner of the site, and that payment and other information is encrypted and safely transmitted.
However, one size of SSL certificates does not fit all websites, and there are many different levels of identification validation that go along with a certificate.
Melih Abdulhayoglu, CEO of certificate authority Comodo, has made it his mission to increase standards of identity validation in the certification space. For the last three years, Abdulhayoglu has been instrumental in promoting the extended validation certificate, which uses a more rigid standard of verification than previous certificates.
“An SSL certificate serves two purposes: security and trust,” he said. “Security because it encrypts information and trust because it displays an icon or other indicator that shows the data is secure because it’s encrypted.”
Different Levels of SSL Certificates
Until recently, most basic certificates only verified that the person or business with the certificate owned the domain name displayed in the URL bar. But, Abdulhayoglu and other certificate authorities found this level of verification unsatisfactory, especially with ecommerce, when consumers are asked to trust a website’s encryption enough to enter their credit card information.
“People trust those yellow padlocks, and half of them are not verified,” he said. “The ones issued are domain validation, and they just check if you own a domain. You cannot have encryption without trust.”
In 2005, Abdulhayoglu brought together many of the important software companies in the certification field for the first meeting of what would become the Certification Authority Browser Forum. which developed the standards for the extended verification SSL certificate.
“This requires us to find you or your company in a credible third-party database,” Abdulhayoglu said. “Once we find you, it requires you to validate your telephone number. It’s a very high validation standard, and there is a certain rejection ratio. It’s good enough for ecommerce. With EV, you know who are transacting with.”
Site owners can purchase a simple, non-EV certificate by merely confirming that they own the domain name. The process is quick, done entirely online, and the certificate is typically ready to use minutes after the purchase.
But for EV certificates, most certification authorities require confirmation of other items, such as the business’s physical address, phone number, incorporation documents, and more. It can get complicated to confirm and the process can take days, not minutes.
For example, if a business uses one address for its domain registration, and then another one for its telephone number or mailing address, an EV application could be rejected. They must all match. Similarly, if a business has a domain name registered under one business name, but the telephone number is listed as another business, an EV application could be rejected.
Do Consumers Know the Difference?
Most browsers now recognize the EV certificate and display a green URL bar when it is present. Abdulhayoglu said 40,000 sites are now using this type of certificate. Yet many consumers still do not know the difference between an EV certificate and one with less stringent validation. Extended validation is currently not a requirement for ecommerce businesses.
Michael Stearns, CEO of ecommerce service provider MightyMerchant. said without consumer awareness of what extended validation means, there is little incentive for merchants to purchase these more expensive certificates. Stearns’ company works with merchants to develop ecommerce websites.
“For most site owners, I don’t think the problem is that the shopper gets to the checkout page and they start wondering whether the domain is legitimate or it is a fake,” Stearns said. “Most shoppers
are primarily concerned to see the security lock. Certainly there are a lot of phishing schemes out there, but the same shopper who is going to fall for the phishing scheme is likely not going to be knowledgeable about EV certificates to fully understand what the added level of verification means.”
EV Certificates Cost More Money
The price on domain-verified SSL certificates varies and depends on whether they are single or mulitple domains, and on the level of encryption. For single domains with a one-year commitment, GoDaddy.com offers them from about $50 per year, VeriSign from $399 a year and GeoTrust from $249 a year. Abdulhayoglu’s company, Comodo. offers this type of certificate for $139 per year.
But EV certificates are more expensive, and merchants must weigh whether the extra expense is worth it. The price for EV certificates varies, depending on the number of domains, the term of committment and on the level of encryption and validation. GoDaddy.com charges roughly $100 per year for its EV SSL. Verisign prices its EV certificate from $995 per year, and GeoTrust’s EV SSL prices start at $899 per year. Comodo’s EV SSL certificates start at $359 per year.
Other Types of SSL Certificates
There are also more subtle types of certificates intended for site owners with more specific needs. Abdulhayoglu said there is a different variation called a multi-domain extended validation certificate, applying the extended validation standards to multiple domain names hosted on the same server. With this certificate, each domain name is validated individually.
Businesses with more than one hostname on the same domain name (server1.example.com, server2.example.com, etc.) can secure them all under a wildcard certificate, named for the “wildcard” asterisk used as the server name. The “*” is used as a substitute for all hostnames names occurring left of the main domain.
For site owners that use Microsoft’s MS Exchange or Office Communications Server, the Unified Communications Certificate meets their certification needs and is supported by these programs. Many different certification companies offer this certificate.
Extend Validation, or Not
PayPal’s green URL bar, for extended validation, as seen in Firefox.
However, Abdulhayoglu maintained the most important distinction is between extended validation certificates and non-extended-validated ones. He said it is up to credit card companies to accept extended validation as a necessary part of PCI compliance.
“PCI is a great standard, and I think they should take it to the next level by putting EV as a minimum standard for anyone accepting payments online,” he said.
Although browsers already display when a site has extended validation, both Stearns and Abdulhayoglu said most consumers are not aware of the difference. While an extended validation requirement, if it could be enforced, would undoubtedly cut down on the number of successful phishing and scamming attempts, there remains little incentive for smaller merchants to pay more for more identity checks. Stearns said large ecommerce companies have different needs than smaller ones when it comes to certification.
“We have gone through [the EV] process for some of our customers,” Stearns said. “But without an understanding on the part of consumers, I do not see a strong value and justification for the extra cost for an EV certificate. For a large ecommerce vendor, I think it makes sense to get the EV cert, but for a smaller vendor on a limited budget, I don’t think it is the best place to spend money.”
Internet Explorer 7, Mozilla Firefox (through add-ons), Safari, Opera and Google Chrome all support extended validation by notifying their users, via the change of colors in the browser bars, when they visit an EV site. As such, most consumers have the ability to verify that they can trust a site before they enter sensitive information. Whether or not they demand this level of trust is a different matter.