EV SSL - for times when the little yellow lock doesn't convey enough trust

* Extended Validation SSL raises the bar on standard SSL validation processes

When you want to make a purchase online, your eyes probably move to the bottom of the screen to look for the little yellow lock before you enter your confidential data. But how can you be sure you aren't sending your credit card number to a bogus Web site set up by a phisher? Forget the yellow lock; look for the green bar instead. It's a sign that the business has implemented an Extended Validation SSL.

Whew! The busy season for online holiday shopping has finally ended. Now it’s time to analyze the results and figure out how to handle the process better for next year.

No doubt one of the metrics that online retailers will be taking a hard look at is shopping cart abandonment. According to Marketing Sherpa, 59.8% of online shoppers abandon their cart without ever making a purchase. The reasons for this vary – “I was comparison shopping,” “Shipping costs were too high” – but doubts about the Web site’s security certainly ranks among the top five reasons for cart abandonment. Many shoppers just don’t feel comfortable entering their credit card information to make a purchase from some Web sites. I know I’ve had that sixth sense telling me not to trust an unfamiliar site.

Shoppers are told to look for the little yellow lock at the bottom of the screen to be sure their Web session is secure before entering confidential information. Unfortunately, the yellow lock might be giving a false sense of security. While it does indicate that the data transmission between the shopper’s browser and the e-commerce Web site is secured with SSL (i.e., it's encrypted), it doesn’t tell the shopper if the Web site that owns the SSL certificate is actually a legitimate business. So the shopper might be giving his credit card information to some phisher who set up a pretty nice Web site and paid 20 bucks to acquire an SSL certificate. (I bet if more shoppers knew this, the abandonment rate would be a lot higher than 59.8%.)

To combat this problem, a number of companies that issue the SSL certificates (known as certificate authorities) joined with Internet browser vendors to form the Certificate Authorities & Browsers Forum, or CA/B Forum. The purpose of the forum is to raise the bar on standard SSL validation processes through the Extended Validation SSL (EV SSL) Certificate. The EV SSL helps to establish the legitimacy of online businesses. Basically, it’s a detailed background check for anyone applying for an EV SSL Certificate.

Here’s how it works. When a private organization, business entity or government agency approaches a certificate authority (CA) to request an EV SSL, the CA does a pretty thorough check to confirm the authenticity and ownership of the Web site. There are specific guidelines of the systematic authentication process. The CA is obligated to:

* Establish the legal, physical and operational existence of the entity.

* Verify that the entity’s identity matches official records like incorporation and business licensing information.

* Confirm that the entity owns or has exclusive rights to use the domain mentioned in the application for certification.

* Confirm that the request for an EV SSL certification has been authorized by the entity.

The objective of this process is to help users distinguish between legitimate Web sites and phishing sites and to build trust in online transactions.

When a user lands on a Web site with an EV SSL certificate, the first thing the user should notice is a green bar in the Web address space. (Note that Internet Explorers will only see the green bar if the phishing filter in the browser is turned on.) If the user mouses over the address bar, he’ll see detailed information about the security status of the Web site. Both the color and the added information are there to provide assurance that the Web site is legitimate and the regular features of SSL will protect data moving between the browser and the Web site.

All of the major browser developers support the green bar display. It works with Internet Explorer 7, Firefox 3.0, Opera 9.5, Google Chrome, Safari 3.2, and others. All told, more than 60% of the worldwide browser share can display the green bar. Unfortunately, browsers running on Windows XP may not recognize EV SSL certification. However, Windows Vista has been designed to support the standard.

Business adoption of EV SSL certificates is going well. More than 8,000 businesses worldwide have already implemented an EV SSL certificate. It is used by every major industry. A few of the companies that have jumped on the band wagon include eBay, PayPal, Bank of America, Chase, Travelocity, British Airways, VISA, Charles Schwab, Aetna, Western Union and FedEx. You can see these are the kinds of businesses that rely heavily on trust in their e-commerce sites.

As for results, many businesses have been delighted with what EV SSL has done for them. Overstock.com reports 8.6% reduced cart abandonment. Flagstar Bank experienced a 10% increase in online banking enrollments. Dwell.com realized a 48,000% ROI, and DebtHelp.com achieved over 16,000% ROI.

To learn more about EV SSL, visit the CA/B Forum Web site or talk to any of the certificate authority companies.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.