Extended Validation SSL Certificate Questions & Answers

What is an "EV SSL Certificate"?

"EV" stands for Extended Validation.

Extended Validation SSL Certificates are a new type of SSL Certificate which is intended to give users more confidence in who you are (the legal entity who has applied for the ssl certificate) and that you control/own your web site. Specifically, an Extended Validation SSL Certificate assures your users that they are really viewing your web site, and not an impostor site that looks exactly like yours.

How does Extended Validation work?

Your web browser will display a green address bar when visiting a web site that has been secured by a valid EV SSL Certificate. For example, when you visit this page via https, your web browser will turn the address bar green. Also, on the righthand side of the address bar you will notice a box which alternates between your legal company name and the certificate authority which issued the EV Certificate.

If you have an EV Certificate and are having trouble enabling the green address bar, see this article for instructions.

How do I purchase an Extended Validation Certificate?

Depending on your needs, you may want to look at a few different options.

So what's wrong with the old SSL certificates?

1. Technically speaking, there is nothing wrong with the old ssl certificates. Since they use the same data encryption, both certificate types will allow you to securely transfer data between two end points.

2. That brings us to the problem of who is on the other end: How do your customers know it's really you?

In the early days of the web, SSL Certificates were only issued to a real business or individual. Before issuing you an SSL Certificate, the CA would verify your domain ownership, business registration and address, phone number, and other pertinent information. But there was no standard in place to make them verify all those details.

In recent years, some CAs began to offer low-cost certificates with "domain only" validation. These types of ssl certificates typically only verify the control/registration of your web site's domain (often a simple check of the whois record).

Then phishing sites burst onto the scene. Here's a typical story:

A criminal buys the domain paypa1.com (note the number 1) and sets up a web page that looks just like the login page to PayPal. Then an email is sent out telling people that for some reason or other they need to login to their account by clicking on a link provided in the email. Unsuspecting users click the link and send their login information to paypa1.com (this is known as Phishing). The bad guys then use this login information to steal--by making online purchases, or transferring money to their accounts, etc.

The first round of Phishing attacks did not include the use of SSL Certificates and Site Seals, probably because it was easy enough to get people to "login" over a standard http (non-secured) connection. But as people became more wary of online scams, the Phishers adapted by purchasing easy to acquire "domain-only" SSL Certificates giving them the appearance of a trusted third party endorsement that helped to establish the falsified web site as being authentic.

Unfortunately, all previous versions of web browsers could not distinguish between fully validated SSL Certificates and the cheaper "domain-only" type. Providing no reasonable method for Internet users to know if that little gold padlock in their browser was issued to an accountable party on the other side. Thus came the need for a High Assurance (standards based) EV SSL Certificate.