Have you ever noticed that your browser sometimes displays a website’s organization name on an encrypted website? This is a sign that the website has an extended validation certificate, indicating that the website’s identity has been verified.
EV certificates don’t provide any additional encryption strength – instead, an EV certificate indicates that extensive verification of the website’s identity has taken place. Standard SSL certificates provide very little verification of a website’s identity.
How Browsers Display Extended Validation Certificates
On an encrypted website that doesn’t use an extended validation certificate, Firefox says that the website is “run by (unknown).”
Chrome doesn’t display anything differently and says that the website’s identity was verified by the certificate authority that issued the website’s certificate.
When you’re connected to a website that uses an extended validation certificate, Firefox tells you it’s run by a specific organization. According to this dialog, VeriSign has verified that we’re connected to the real PayPal website, which is run by PayPal, Inc.
When you’re connected to a site that uses an EV certificate in Chrome, the organization’s name appears in your address bar. The information dialog tells us that PayPal’s identity has been verified by VeriSign using an extended validation certificate.
The Problem with SSL Certificates
Years ago, certificate authorities used to verify a website’s identity before issuing a certificate. The certificate authority would check that the business requesting the certificate was registered, call the phone number, and verify that the business was a legitimate operation that matched the website.
Eventually, certificate authorities began offering “domain-only” certificates. These were cheaper, as it was less work for the certificate authority to quickly check that the requester owned a specific domain (website).
Phishers eventually began taking advantage of this. A phisher could register the domain paypall.com and purchase a domain-only certificate. When a user connected to paypall.com, the user’s browser would display the standard lock icon, providing a false sense of security. Browsers didn’t display the difference between a domain-only certificate and a certificate that involved more extensive verification of the website’s identity.
Public trust in certificate authorities to verify websites has fallen – this is just one example of certificate authorities failing to do their due diligence. In 2011, the Electronic Frontier Foundation found that certificate authorities had issued over 2000 certificates for “localhost” – a name that always refers to your current computer. (Source) In the wrong hands, such a certificate could make man-in-the-middle attacks easier.
How Extended Validation Certificates Are Different
An EV certificate indicates that a certificate authority has verified that the website is run by a specific organization. For example, if a phisher tried to get an EV certificate for paypall.com, the request would be turned down.
Unlike standard SSL certificates, only certificate authorities that pass an independent audit are allowed to issue EV certificates. The Certification Authority/Browser Forum (CA/Browser Forum), a voluntary organization of certification authorities and browser vendors such as Mozilla, Google, Apple, and Microsoft issues strict guidelines that all certificate authorities issuing extended validation certificates must follow. This ideally prevents the certificate authorities from engaging in another “race to the bottom,” where they use lax verification practices to offer cheaper certificates.
In short, the guidelines demand that certificate authorities verify the organization requesting the certificate is officially registered, that it owns the domain in question, and that the person requesting the certificate is acting on behalf of the organization. This involves checking government records, contacting the domain’s owner, and contacting the organization to verify that the person requesting the certificate works for the organization.
In contrast, a domain-only certificate verification might only involve a glance at the domain’s whois records to verify that the registrant is using the same information. The issuing of certificates for domains like “localhost” implies that some certificate authorities aren’t even doing that much verification. EV certificates are, fundamentally, an attempt to restore public trust in certificate authorities and restore their role as gatekeepers against imposters.