Quality vs. Quantity: SSL Certificate Verification Practices
VeriSign announced that GeoTrust (a VeriSign subsidiary) SSL certificates are most often used to secure the most-visited web sites. This was established by cross-referencing the Alexa 1 Million with the July 2010 Netcraft SSL survey. The results revealed 35,142 unique domains protected by GeoTrust SSL certificates out of approximately 165,000 of the Alexa 1 Million on which Netcraft found certificates.
I took a closer look at the Netcraft SSL Survey data. It found 334,777 GeoTrust certificates of which 304,199 were domain-only validated. As VeriSign states, “the chief intended purpose of SSL is authenticating sites and protecting transactions”; however, 91% of the time GeoTrust SSL certificates fail to provide any identifying information with regards to who controls the web site.
Domain-only validated (DV) certificates are typically verified and issued through automated processes. Human intervention is minimized and organization checks are eliminated to support issuing the certificates quickly and cheap. As such, a DV certificate contains no identifying information in the organization name field. Typically this value just re-states the domain name or simply says “Persona Not Validated”. This means that although the certificate supports transaction encryption, the end user cannot confirm who is on the other end. So the transaction is encrypted for whom?
Certificates verified using Organization validation (OV) or Extended validation (EV) practices contain the verified name of the entity that controls the web site. Certification Authorities issuing these certificates check with third parties to establish the official name of the organization and where they are located. The CA takes further steps to contact the requesting organization to confirm that they did indeed request the certificate and that the requester is authorized to receive the certificate on behalf of the organization. When visiting a web site using an OV or an EV certificate, the end user can use the certificate to verify that they are sending their transaction data to the intended recipient.
At Entrust, 100% of our SSL certificates provide organization identity. All of our SSL certificates are intended to provide security, accountability, and trust.