Introduction to Extended Validation (EV) SSL / TLS

SSL/TLS, the cryptographic protocol behind https, is no longer a nice-to-have for websites. Site visitors are looking for, and expecting, to see a padlock in the address bar of your site, and the major browsers have announced plans to flag all HTTP sites as non-secure. All signs point to SSL being a need-to-have for anyone operating a website.

When Secure Doesn’t Necessarily Mean Safe

While the increase in SSL usage is generally a good thing – more encryption equals greater security, right? –  phishing and other malicious sites have started to take advantage of this “padlock=safe” mentality by installing low assurance SSL Certificates to appear legitimate and secure.

In reality, these low level certificates only assure that the owner actually operates the domain (hence the name, Domain Validation [DV] SSL Certificate), which makes these types of certificates fairly easy to acquire – the bad actors only need to register a domain and demonstrate administrative control. For example, someone operating the phishing site “paypall.com” would only need to prove that they own the domain. There is no verification of the entity behind the site and therefore no identity information included in the certificate for site visitors to view if they wanted. Most public Certificate Authorities (CAs), the entities that issue SSL Certificates, have checks in place to catch this type of bad behavior and prevent phishers from acquiring SSL for this purpose, but the rise of free SSL services, which often do not have the resources to do these types of checks, has made it easy for phishers to sneak by.

All of this is to say, there’s more to site security than just encryption. Your brand identity – proving that your site is legitimate and not a phishing site – is increasingly important.

In this white paper, we discuss the importance of bringing your corporate identity front and center on your website and how that can be achieved using Extended Validation (EV) SSL.



Request Free!