What about EV SSL Certs…

Ah! It's the weekend, which means the time has come for yet another post. My first topic deals with EV SSL Certs. A short definition about EV SSL Certs can be found on everyone's favorite site, WikiPedia:

"Extended Validation Certificates (EV) are a special type of X.509 certificate which require more extensive investigation of the requesting entity by the Certificate Authority before being issued."

At first glance, you may think that these very costly little do-dads are the greatest thing since sliced bread. After all, per the definition the purpose of "EV" is to increase the level of assurance associated with these certificates by preventing evil doers from getting them. To do this, an entity attempting to get an EV Cert must be a legal identity that owns the domain it is requesting the certificate for.

But, here is the problem. Anyone can become a legal entity, get a domain name, and then "purchase" an EV certificate. In the end, the process is pretty much the same as purchasing an SSL Cert, just with more hoops. Thus, you are just paying more money for an SSL Cert, which may or may not provide more assurance for your users. Errr...

Yes, that's right... that extra money is pretty much just an assurance statement. Kinda like a look at me, your browser's bar is now green, thus my SSL protected site is trustworthy. Actually, that statement actually is the issue that I have with EV. After all, I can't really see how it lives up to the lofty goal of protecting users from phishing attacks. And, here is why:

  • Users may not see that really cool green bar (proven fact per Stanford and Microsoft).
  • EV doesn't really protect against spoofed content.
  • Bad guys can get EV Certs just like everyone else.

So, in the end, I hold on to my opinion that the extra cost for EV is just not justified. Instead, CAs should have been performing the organizational checks to begin with. Oh well...

BTW - KC Lemson had a really good post about the circler interaction that I had with her, me, and the Exchange Product Team leading to a trip down memory lane and thus her posting about the "Evolution of customer feedback inputs". It's a good read... The only sad part is my grammar in the follow up post that she references. I really shouldn't post late at night!

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2008 IDG Communications, Inc.

IT Salary Survey: The results are in