EV SSL Certificate

What are EV certificates?
Well, to understand that we need to see what normal certificates are, or rather, how easy it is to get them. The value of a digital certificate is only as high as the authority that issues them. After all, what good is a certificate from Microsoft, that claims that they truly are Microsoft, if I can create my own certificate telling you that no, instead I am the real Microsoft. This is why we have a select list of trusted Certificate Authorities (CA) and these authorities in turn will validate that whoever asks for a certificate really are who they claim to be. The problem comes in because in recent years, there has been a great deal of new authorities, and many of them want to sell you as cheaply as possible. In fact, some of them will give those certificates away.

In practice, there is no real verification being done. All you need to obtain a digital certificate to use on your SSL server is an email address. Needless to say, having such a low bar for entry causes problems. Not only can bad guys impersonate other companies and get certificates in their names, but now the threat is of a CA going rogue, or being duped to mass produce these for anyone who wants them.

The solution: Extended Validation
EV certificates, which stands for Extended Validation, is the answer that the authorities came up with to help solve the problem. It was first introduced by Comodo, one of the big CAs, and has been instituted as a guideline for all authorities. At first, these were simply more expensive versions of normal certificates, where the authority would actually phone you, or require that you send in papers that would prove that you really represent such and such company. It helps solve the authentication issue, but is also a bigger money grab. This was fine at first because it was entirely optional. A bank or financial institution was keen on getting them because they needed a high level of trust, but most sites did not.

But people quickly realized that the end users, those for whom all of this security is supposed to be setup to protect, had no real way to tell whether a site was using an EV certificate. After all, why pay extra if you do not get your money’s worth in user confidence? So browser makers started creating visual changes in their interfaces to promote the EV certificates. This is what led to the green bar that we now see in our URLs when connecting to many encrypted site.

The green bar dilemma
But as this change in browsers went from a very small visual cue to an entire green bar, highly visible to the user, this brought in a new problem. Users started to equate having the green bar with being connected to a secure site. In reality, as far as the protocols and security of the connection is concerned, there is no difference whatsoever between being connected to a site that has an EV certificate and a site that has a normal one. The only differences are how much verification there is when the certificate is originally obtained, and how much money the business was willing to pay each year for the EV part.