VeriSign Extended Validation Certificate




Extended Validation Certificates (EV) are a special type of X.509 certificate which requires more extensive investigation of the requesting entity by the VeriSign, Thawte, GoTrust before being issued.

The criteria for issuing EV certificates are defined by the Guidelines for Extended Validation Certificates, currently at version 1.1. The guidelines are produced by the CA/Browser Forum, a voluntary organization whose members include leading CAs and vendors of Internet software, as well as representatives from the legal and audit professions

An important motivation for using digital certificates with SSL was to add trust to online transactions by requiring website operators to undergo vetting with a certificate authority (CA) in order to get an SSL certificate. However, commercial pressures have led some CAs to introduce "domain validation only" SSL certificates for which minimal verification is performed of the details in the certificate.

Most browsers' user interfaces did not clearly differentiate between low-validation certificates and those that have undergone more rigorous vetting. Since any successful SSL connection causes the padlock icon to appear, users are not likely to be aware of whether the website owner has been validated or not. As a result, fraudsters (including phishing websites) have started to use SSL to add credibility to their websites.

By establishing stricter issuing criteria and requiring consistent application of those criteria by all participating CAs, EV SSL certificates are intended to restore confidence among users that a website operator is a legally established business or organization with a verifiable identity.

EV SSL Certificate issuing criteria

Only CAs who passes an independent audit as part of their Web Trust (or equivalent) review may offer EV, and all CAs globally must follow the same detailed issuance requirements which aim to:
  • Establish the legal identity as well as the operational and physical presence of website owner;
  • Establish that the applicant is the domain name owner or has exclusive control over the domain name; and

  • Confirm the identity and authority of the individuals acting for the website owner, and that documents pertaining to legal obligations are signed by an authorized officer.

VeriSign EV SSL Certificate at User interface

Browsers with EV support display more information for EV certificates than for previous SSL certificates. Microsoft Internet Explorer 7, Mozilla Firefox 3, Safari 3.2, Opera 9.5, and Google Chrome all provide EV support.


The Extended Validation (EV) guidelines require participating Certificate Authorities to assign a specific EV identifier, which is registered with the browser vendors who support EV once the Certificate Authority has completed an independent audit and met other criteria. The browser matches the EV identifier in the SSL certificate with the one it has registered for the CA in question: if they match, and the certificate is verified as current, the SSL certificate receives the enhanced EV display in the browser's user interface.

VeriSign Extended Validation certificate identification

EV certificates are standard x.509 digital certificates. The primary way to identify an EV certificate is by referencing the Certificate Policies extension field. Each issuer uses a different object identifier (OID) in this field to identify their EV certificates, and each OID is documented in the issuer's Certification Practice Statement.

What is Extended Validation's effect on phishing?

In 2006, Stanford University students conducted a usability study of the EV display in Internet Explorer 7. The study attempted to measure users' ability to distinguish real sites from fraudulent sites when presented with various kinds of phishing attacks.

Due to the small size of the study's sample base (nine test subjects per cell) the margin for error of each result was several times the actual measurement, and therefore no useful conclusion was possible. However, this study led the way for other researchers to present results of a statistically significant nature. In January 2007, usability research firm Tec-Ed published its results of running 384 North American test subjects through purchasing simulations on sites with and without green address bars.

Tec-Ed concluded that latent understanding of green address bars was very high, with 93% of test subjects recognizing a site with a green address bar as a safer shopping experience than one without. With regard to Extended Validation's defense against phishing, the Tec-Ed research reveals that when a site adopts green address bars, then 77% of users visiting what appears to be the same site but without the green address bar will decline to complete the transaction. Apparently, though, these results followed some training, so it is difficult to infer what untrained users would do.

To get VeriSign EV Certificate at lowest price visit: https://www.clickssl.com


 
Return to top of page ClickSSL - Start your E-Business with SSL Certificates