ANTenna Blog -- Internet/Web

A new type of SSL certificate is being touted as a boon to online security. But there are two sides to this story, and both are worth hearing.

For more than a decade, the Secure Sockets Layer (SSL) protocol has been a key e-commerce standard. Simply stated, SSL provides a way for Web sites to authenticate themselves and to create a secure connection for online transactions.

In 2006, a growing problem with phishing and other online scams drove an effort to beef up SSL. The result, known as Extended Validation (EV) certificates, require companies that issue SSL certificates to verify a company's identity more extensively before approving a company's certificate application.

Besides more carefully vetting the companies that request EV certificates, this process delivers another obvious benefit. Today, every major Web browser, including Firefox, Internet Explorer, Safari, Opera, and Google Chrome, use special identifiers to alert users when they visit a site that employs EV SSL certificates.

Firefox 3.x browsers, for example, replace Mozilla's traditional method of displaying SSL indicators -- a yellow address bar and a padlock icon to the right of the URL -- with a far more colorful indicator that looks like this:






Different browsers recognize EV SSL certificates in different ways, but all of them provide enhanced visual cues along with additional information about EV SSL sites.

Those visual cues, by the way, always use green to identify valid EV SSL certificates and red to flag sites using problem certificates. These are obvious signifiers, yet they are not without controversy, as I'll explain in a moment.

Companies such as Verisign that sell EV SSL certificates claim that this approach makes it far more obvious to Web users whether or not they are visiting a site that has passed the EV approval process. They also assert that companies using EV SSL enjoy significantly higher online sales.

The EV standard has also addressed concerns that it unfairly favored larger companies at the expense of small businesses. Early drafts allowed only incorporated companies to receive EV certificates, but the final EV guidelines only require firms to register with a recognized agency (such as a municipality that issues business licenses) to qualify.

In addition, the price of EV certificates has dropped steadily, and some authorities now issue them for as little as $100.

So, EV is a win-win situation for online businesses and consumers, right? Some people aren't so sure.

Last year, InformationWeek's Mike Fratto posted a very cogent critique of EV certificates. I think many of Fratto's concerns are just as valid today as they were at the time, and they are worth revisiting here.

Fratto noted that EV only certifies that the company running a Web site is "a legal entity." Neither Verisign nor any other authority will certify that a company holding an EV certificate is engaged in legal business practices or that it is "safe" to do business with that company.

Nobody can blame the companies that issue EV certificates for not making promises that could get them sued into the poorhouse. Yet as Fratto points out, this creates a very serious disconnect between what those green address bars actually mean and what most users are likely to assume they mean:

The real question is what the user infers when using a Web browser that is capable of detecting an EV certificate. Green is good. Red is bad. White is neither good nor bad. Those visual clues cause a reasonable person to infer something far different than what is being asserted. What is being asserted by an EV certificate is that the Web site has been validated as a legal entity. What a reasonable person infers is a Web site that turns the address bar green is good, trusted; a Web site that turns the bar red is bad, untrusted; and a Web site where the address bar doesn't change is neither good nor bad.

In all fairness, this disconnect didn't originate with EV SSL. Many Web users also assume that a basic SSL "padlock" icon means they are visiting a "safe" Web site, when the truth is somewhat less cut-and-dried.

I don't want to misrepresent the very real benefits of EV SSL. Any certification scheme that subjects online businesses to more stringent background checks is a good thing. While EV delivers marginal security benefits, however, the EV marketing machine comes dangerously close to promoting it as some sort of miracle cure.

Verisign's claims that EV SSL makes customers more comfortable -- and more willing to shop -- are completely credible. Yet I can't help but wonder whether EV's green-means-go approach to online security doesn't carry a measure of risk for all legitimate online businesses.

After all, security schemes are worthless if the people they are supposed to protect lose faith in them. And if EV SSL gets burned promising more than it can deliver, a lot of innocent companies might wind up taking the heat.