Do EV Certificates Just Enhance The Bottom Line?

Mike Fratto posted an article in Information Week about how EV certificates don't increase trust. He claims that they only help line the pockets of certificate authorities like VeriSign.

I understand what EV certificates are supposed to impart, that the Web site represents a legitimate business. When generating non-EV SSL certificates, Certificate Authorities (CA) like VeriSign will, generally speaking, check that the person making the request for a server certificate is the rightful owner of the domain name, and is authorized to make the request. You can read the details in section 3.2 of VeriSign’s Certification Practice Statement. Basically, if I wanted to request a SSL certificate for the Web site www.example.com, I would have to prove that I am the rightful owner of the domain and identify myself.

Extended Validation certificates, on the other hand, are supposed to communicate that the Web sites using them are somehow more trustworthy than Web sites that aren't using them. The idea being that prior to an EV CA issuing a certificate to a company, the issuing EV CA validates the company is a legal entity by checking its incorporation with the claimed state authority. The issuing EV CA also validates that other information supplied, like the company name, addresses, etc., are accurate. EV certificates also require the use of revocation validation. That's all great stuff. Revocation validation should have been required years ago.

EV Certificates never claimed to provide greater technical security (though they do in some ways by requiring certain key sizes, revocation, etc.). The two biggest problems with the validation done for SSL Certificates is that there is no standard way of verifying that a person is authorized to order a certificate for a company. Nor is there a standard way of verifying the legal existence of a company. In fact, there really isn't a standard way of verifying that a company owns a domain name (some send an email, some call, some just use the WHOIS record). The whole point of SSL certificates is to set standards.

Also, EV certificates never claim to verify that a business is worthy of a customer's trust. That involves a whole lot more than what a certificate authority can normally do (reputation monitoring like BBB, privacy policy verification like Truste). The EV standard only claims to verify that a business is legally registered and active, that it owns the domain name and that the person ordering the certificate is authorized. This easily stops a phisher from setting up a scam web site, getting an SSL certificate for it, and attacking. A phisher would not be able to get an EV certificate so even using a DNS attack, would not be able to spoof a site using an EV certificate.

EV Certificates Enhance The Bottom Line, Not Trust - [Information Week]

Originally posted on Tue Aug 5, 2008