Skip Links

EV SSL - for times when the little yellow lock doesn't convey enough trust

Extended Validation SSL raises the bar on standard SSL validation processes

IT Best Practices Alert By Linda Musthaler, Network World
January 05, 2009 12:01 AM ET
Linda Musthaler
Sign up for this newsletter now!

The CIO-level business angle on the latest tech

Network World - Whew! The busy season for online holiday shopping has finally ended. Now it’s time to analyze the results and figure out how to handle the process better for next year.

No doubt one of the metrics that online retailers will be taking a hard look at is shopping cart abandonment. According to Marketing Sherpa, 59.8% of online shoppers abandon their cart without ever making a purchase. The reasons for this vary – “I was comparison shopping,” “Shipping costs were too high” – but doubts about the Web site’s security certainly ranks among the top five reasons for cart abandonment. Many shoppers just don’t feel comfortable entering their credit card information to make a purchase from some Web sites. I know I’ve had that sixth sense telling me not to trust an unfamiliar site.

Shoppers are told to look for the little yellow lock at the bottom of the screen to be sure their Web session is secure before entering confidential information. Unfortunately, the yellow lock might be giving a false sense of security. While it does indicate that the data transmission between the shopper’s browser and the e-commerce Web site is secured with SSL (i.e., it's encrypted), it doesn’t tell the shopper if the Web site that owns the SSL certificate is actually a legitimate business. So the shopper might be giving his credit card information to some phisher who set up a pretty nice Web site and paid 20 bucks to acquire an SSL certificate. (I bet if more shoppers knew this, the abandonment rate would be a lot higher than 59.8%.)

To combat this problem, a number of companies that issue the SSL certificates (known as certificate authorities) joined with Internet browser vendors to form the Certificate Authorities & Browsers Forum, or CA/B Forum. The purpose of the forum is to raise the bar on standard SSL validation processes through the Extended Validation SSL (EV SSL) Certificate. The EV SSL helps to establish the legitimacy of online businesses. Basically, it’s a detailed background check for anyone applying for an EV SSL Certificate.

Here’s how it works. When a private organization, business entity or government agency approaches a certificate authority (CA) to request an EV SSL, the CA does a pretty thorough check to confirm the authenticity and ownership of the Web site. There are specific guidelines of the systematic authentication process. The CA is obligated to:

* Establish the legal, physical and operational existence of the entity.
* Verify that the entity’s identity matches official records like incorporation and business licensing information.
* Confirm that the entity owns or has exclusive rights to use the domain mentioned in the application for certification.
* Confirm that the request for an EV SSL certification has been authorized by the entity.

The objective of this process is to help users distinguish between legitimate Web sites and phishing sites and to build trust in online transactions.

When a user lands on a Web site with an EV SSL certificate, the first thing the user should notice is a green bar in the Web address space. (Note that Internet Explorers will only see the green bar if the phishing filter in the browser is turned on.) If the user mouses over the address bar, he’ll see detailed information about the security status of the Web site. Both the color and the added information are there to provide assurance that the Web site is legitimate and the regular features of SSL will protect data moving between the browser and the Web site.

Linda Musthaler is a principal analyst with Essential Solutions Corporation.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News