I had the opportunity to review a verification issue last week, and it had me thinking of the value of EV certificates.
First for every SSL/TLS certificate request, our verification teams goes through a validation process to authenticate the identity, ownership or control of the domain name, and authorization to issue the certificate. This process is increased substantially for Extended Validation (EV) certificates. In this case, the identity is confirmed with the registration source and authorization is elevated to include confirming certificate issuance, and the contract approver is authorized.
In the case of the verification issue, the applicant requested a certificate for the verified domain wvvw.paypal-secure.com. Their address information was confusing, but they had a great web page.
Oops! Their page looks like a phishing site for PayPal. Best to check how the actual PayPal site looks.
Very similar, but notice the difference in the status bar.
All browsers have areas shown to the user which cannot be changed by the website administrator. The status bar is in this area. The browser uses the status bar to present site location and security information, which is based on the domain name, HTTP versus HTTPS, and certificate type.
What sets the legitimate PayPal site apart from the phishing site is their EV certificate type. With an EV certificate, browsers will use a green indication around the lock icon and will display the website owner’s identity. As such, your legitimate website will display trust through the green indication and your verified identity. It will show more trust than a phishing site as it is very difficult for an attacker to get an EV certificate with your identity.
Also, an EV certificate can help prevent a man-in-the-middle (MITM) attack. Over the last few years, we have seen MITM vulnerabilities when a root CA has issued an intermediate CA certificate to an end user (e.g., Trustwave, TURKTRUST, ANNSI and CNNIC). We have also seen MITM vulnerabilities by poor software design (e.g., Superfish, Komodia and PrivDog).
The advantage of EV is the root certificate must have metadata provided by the browser to state that it is trusted for EV. The metadata is only available once the CA has met the browser required EV qualifications. As such the metadata is not available when an attacker creates their root or issuing CA. As Gibson Research states, Extended Validation is completely spoof proof.
If you deploy an EV certificate, I recommend that you consider making effort to show your users the level of security you are providing. You want your users to know they are at your trusted site when they see the green bar. You also want them to be suspicious when they don’t see the green bar.
Update August 19, 2015: For more information see our white paper, The Business Value of Extended Validation.
Interested in learning more?
See EV in action. Learn the benefits of EV, get great resources and save big with our EV Cert Promotion, running from now until September 30, 2015.