Did EV-SSL Make Browsing More Secure?

Two years after the launch of Extended Validation SSL, experts raise questions about the technology.

Two years after it launched Extended Validation SSL (EV-SSL), more than 11,300 valid certificates have been sold, with around 8,000 of them sold by VeriSign, developer of the certificates. Of course, considering that VeriSign has over one million standard SSL certificates total, EV-SSL still has a ways to go until it is dominant.

SSL (define) certificates are used across the Web to secure transactions and information transit across the Internet. Yet a basic SSL certificate on its own doesn't necessarily verify the identity or authenticity of a Web site, which is why VeriSign introduced EV-SSL certificates two years ago.

VeriSign claims that the technology is growing rapidly.

"We're quite pleased with not only the overall number of certificates deployed but also the level of deployment by leading sites such as Bank of America, eBay, and Charles Schwab," Tim Callan, vice president of product marketing at VeriSign, told InternetNews.com . "We're also very pleased that all popular browsers recognize EV certificates today, with over 70 percent of Internet users on EV-aware browsers."

An EV-SSL certificate involves a validation to ensure that the domain owner and site is legitimate. Part of the process involves getting a lawyer or other authorized organization or individual to vouch for an EV-SSL certificate claim.

Not so easy

Warren Adelman, president and chief operating officer of EV-SSL vendor GoDaddy, explained to InternetNews.com that EV-SSL certificates are more expensive, more complex and more time consuming to obtain than regular SSL certificates.

"There are a couple of challenges with Extended Validation and one of the challenges is price," Adelman said. "These are fairly expensive certificate types, the price is driven by what is a fairly complex set of data gathering that takes place as part of the extended validation requirement and that creates a barrier."

At GoDaddy, for example, the most basic type of SSL certificate is sold for $29, while EV-SSL is available for $499. Browser vendors, including Mozilla, Microsoft, Google (NASDAQ: GOOG) and Apple (NASDAQ: AAPL) all have a form of indicator to notify a user that they are on an EV-SSL protected site.

On Mozilla Firefox, for example, regular SSL encrypted sites are typically identified with just a padlock icon, while the icon for an EV-SSL site lights up in green.

Not all users are aware of EV-SSL, and that's an area where Adelman argues that further education is still required. It's something that VeriSign agrees with, though VeriSign's Callan argued that there is real value that businesses have seen from EV, as opposed to just normal SSL.

"EV's challenges for adoption are very typical to other new successful technologies. It is largely an exercise of increasing awareness and showing measurable returns from the technology," Callan said. "Furthermore, VeriSign has published over 20 case studies from around the world showing measured uplift ranging from five to 87 percent as a result of EV."

While EV-SSL represents a degree of authenticity that is greater than regular SSL alone, neither GoDaddy nor VeriSign expect regular SSL to go away anytime soon. Though SSL is used to secure consumer facing sites that could benefit from EV-SSL, GoDaddy's Adelman noted that SSL is also used internally in organizations where the extended validation is not needed.

Both GoDaddy and VeriSign are also seeing a migration from existing SSL customers to EV-SSL.

"Most of our EV deployments have been from traditional VeriSign customers," VeriSign's Callan said. "That makes perfect sense when you consider that the VeriSign Secured Seal is a highly recognized security mark that has been demonstrated to increase consumer confidence on sites and drive additional transactions. EV purchasers seek the very same effect, and therefore we're not surprised to see our seal adopters in favor of EV SSL."

This article was first published on InternetNews.com.

Tags: browsers, Firefox, Google, Microsoft, Mozilla

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.