Essentially an SSL/TLS certificate is a form of digital identity for your website. The level of identity differs depending on the type of certificate that you have – compare it to how a gym membership ID contrasts with a driver’s license versus a passport. Each has increasingly more information that further validates your identity. In that way, it’s similar to SSL/TLS certificate verification for the different certificate types.
How are Certificates Verified?
Verification methods for the three types of SSL/TLS certificates are required to follow strict guidelines established by the CA/Browser Forum. The verified information is included in public trust SSL/TLS certificates and differ based on the type of certificate. The most basic is domain validation (DV), the next level up is organization validation (OV), which includes some identity assurance and lastly, extended validation (EV) provides the most identity checking. The verification process escalates with each certificate type, and that is also reflected in the price.
Identity v. Undisclosed SSL/TLS Certificates
A mix of EV and OV certificates are widely used by organizations that want to provide their customers with strong encryption technology as well as deliver identity assurance. Identity assurance helps customers recognize whether or not a website is legitimate. It also prevents the brand from suffering damaging losses associated with phishing scams and other nefarious online activity.
EV and OV certificates are used primarily for client-to-server transactions where sensitive information (e.g., user name, password, credit card information, etc.) is being transferred over the Internet. Encryption ensures the data cannot be stolen as it makes its way to the organization. The identity piece gives website visitors the ability to positively identify that the website they’re on is authentic.
DV certificates only verify control over a domain separating encryption from authentication. In the absence of identity checks, DV certificates lack the critical component of having an identifiable paper trail, and that’s where they differ from EV or OV certificates. All three certificate types provide the same strong level of encryption technology.
DV certificates are best used for situations that do not necessitate the important aspect of identity assurance making them a good choice when rapid acquisition of encryption-based technology for server-to-server communication is needed – for example, transferring data between two internal servers.
The purpose of a DV certificate is to provide IT professionals with a fast and affordable way to encrypt non-sensitive data that is passed over the Internet. Some CAs issue DV certificates via an automated process at no charge, the domain owner doesn’t even supply a credit card. The ability to acquire these certificates anonymously provides an opportunity for bad actors to appear legitimate without leaving a trace of identity. This is why DV certificates are associated with a high-level of phishing activity.
There has been some discussion among industry leaders surrounding the context for using DV certificates and whether or not it is sufficient for ecommerce transactions. There is no identifying information attached to a DV certificate. Without it, DV offers no value for people who want to build trust with their website visitors.
Major browsers indicate that a website is secured with DV certificate by the padlock with HTTPS in the address bar, but do not show organization details because they do not exist. These certificates validate domain ownership only, and do not tie a domain to a person, place or entity.
OV certificates have been issued since the mid-nineties making them the legacy of the SSL/TLS ecosystem. These certificates have always required that the certificate subscriber complete an identity verification check. Disclosing identity provides accountability and confirmed identity shows that visitors are on the authentic site and not a look-alike.
OV certificates must be validated according to stringent industry guidelines. The process basically requires three checks before an OV certificate can be issued. The subscriber must:
- show control over the domain name(s) where either the applicant shows control or the owner of the domain name authorizes control;
- have their organization verified by an approved third-party system confirming their organization is registered and valid; and lastly,
- be able to able to authorize certificate issuance. The CA will contact the applicant using an accepted communication method. This is typically done by phone where the phone number has been validated as registered to the named identity.
In addition to domain ownership required for DV certificates, the organization is validated for OV certificate issuance. Once validated, the certificate can be deployed and users will be able to view the website’s confirmed identity in the certificate details on most major web browsers.
In addition to the checks conducted for DV and OV certificates, EV certificates require a jurisdiction check with the incorporating agency or registrant, a certificate subscriber agreement signed by a validated endorser, and certificate issuance must be approved by a validated certificate endorser.
Since EV certificates undergo an increased verification level, more identity information is provided and the authorization level is higher the result is greater reliability. Browsers will show a higher trust level for EV certificates in the web address bar than for either DV or OV certificates. This may be indicated by a green color on the lock icon or the name of verified organization depending on the browser – each browser handles this differently. High value organizations like financial services institutions typically prefer EV certificates to help their customers discern when they are on their authentic website. They are also a great choice for landing pages to confirm the organization identity and increase site trust.
EV verification gives customers more confidence to transact on a website and helps preserve brand reputation for the organizations who use the. It leaves a detailed paper trail where customers have recourse should they be victimized by any nefarious activity that takes place while transacting on that website. EV certificates are distinguished with a locked padlock, organization name and sometimes country ID in the web address bar in most major browsers. The organization’s details can be found by clicking on the padlock and searching the certificate details.
The amount of verification checking behind the various certificate types is reflected in the price. The increased vetting for EV particularly and OV certificates is what makes high assurance certificates more expensive. EV certificates come with the most comprehensive verification checking, which includes domain verification, cross-checks among several governmental and internal checkpoints that ties the entity to a specific physical location. SSL/TLS certificates are an integral part of an organizations overall IT security posture.
7-Part Blog Series
- SSL/TLS 101 – Why Do I Need an SSL/TLS Certificate
- SSL/TLS Certificate Types – Choosing the Right One for Your Use Case
- SSL/TLS Verification – Digital Identity for Your Website
- What is a SAN (Subject Alternative Name) and how is it Used?
- What is a CSR and How Do I Get One?
- What’s the Difference between a Public and Private Trust Certificate?
- How to Build an SSL/TLS Certificate | The Five Simple Steps That Bring You to HTTPS