Merchant Risk Council Recommends Extended Validation SSL Certificates

The Merchants Risk Council, whose mission statement is to "to make the internet a preferred place to shop and sell", is recommending that e-commerce sites adopt extended validation certificates in place of their current SSL certificates. MRC's Executive Director Tom Donlea said:

It is critical for merchants to use EV SSL as a tool to protect themselves -- and their customers -- from the latest online hazards such as hacking and phishing.

However, Network Computing's Mike Fratto says that the recommendation is flawed because EV Certificates themselves are flawed.

 When you purchase an SSL certificate from a CA, they will typically check to ensure that you are the authorized person requesting the certificate for the domain. The details are referenced in each certificate authorities Certification Practice Statement and Certificate Policies. With EV certificates, the certificate authority is supposed to further verify that the company is an actual business. If the business is verified, the EV certificate is issued. Internet Explorerand Opera, when seeing a valid EV certificate will turn the address bar green. Otherwise, the address bar remains neutral. Invalid certificates turn the address bar red. Green good, red bad. Neutral OK.

This is a gross exaggeration of what is done to validate a company to receive an EV SSL certificate. A detailed description of what CAs are required to validate when issuing EV certificates can be found in the CA/Browser Forum's EV SSL Certificate Guidelines. It essentially covers:

  1. Verifying the company's ownership of the domain name through the WHOIS record.
  2. Verifying the company's legal existence and active status.
  3. Verifying the physical address and phone number.
  4. Verifying the details of a member of upper management in the company who can give permission to another employee to order the certificate.
  5. Verifying that the company is not on any government blacklists and is not a high risk for phishing.

Mike's main argument is that the indication that an EV certificate is in use (the green bar), won't work:

There are many reasons why unsuspecting users fall prey to phishing scams—scams are sophisticated and users are largely uneducated about the various problems. Both problems are exacerbated by implementations in browsers that are often difficult to understand by non-technical users. That is an extremely difficult problem to solve. A January 2007, a joint research paper by Stanford University and Microsoft drives the point home that extended validation certificates made no difference in a users ability differentiate a legitimate web site from a phishing site.

It's time to stop offering up EV certificates as a reliable means for consumers to differentiate a legitimate site from a fraudulent one and focus energies towards methods that will actually help consumers to determine legitimate sites.

While it is true that phishing scams will continue to exist (most of them are on sites that don't use SSL anyway), more and more consumers will begin to recognize the green address bar and it will become an effective way to instill more trust. There is a reason that big online retailers like Amazon and PayPal have switched to EV. It doesn't mean it is appropriate for everyone, but it can help convert more visitors to buyers.

For more information, see Are extended validation certs worth the extra money?

Originally posted on Sun Nov 25, 2007