EV SSL Will Boost e-Consumer Confidence

By Johan Sys

(Back to article)

Extended validation, or EV for short, SSL certificates were created by the Certification Authority/Web Browser Forum (CA/B), a trade group of representatives from the two industries looking to save the original promise of SSL certificates as a universal, trusted way to authenticate an encrypted Web site.

The CA/B Forum’s goals are simple: Certify that sensitive data sent over the Internet between two entities like an e-commerce provider and online consumer is adequately encrypted; and verify that the Web server really is owned by the business. Both important steps are needed for a safe, successful, and "phish"-free electronic commercial transaction.

Years after the introduction of the SSL protocol, a broad range of validation techniques have crept into industry practices, sometimes diluting the credentials awarded. From certification authorities that, in old-school fashion, look up businesses requesting certificates and call to see if the number is even still in service, to automated computer validation that, inadequately, merely verifies the business owns the server the certificate represents—the general industry consensus is there needs to be a change.

To remedy this, the CA/B Forum agreed on much more rigorous EV SSL guidelines. While these new policies have been ready for use since October 2006, Microsoft’s latest rollout — Internet Explorer 7 on Windows Vista — will be the first to adopt EV SSL certificates.

When the IE7 user finds a server with an EV SSL certificate, the browser will visually (and colorfully) announce the EV presence by turning the address bar green and identifying the owner of the server, as well as who issued the certificate.

The theory is users will learn to recognize the green address bar as a destination where it is safe to conduct online transactions; there is no risk that it is a phishing or other malicious Web site. The display of yellow and red address bars will alert the Web visitor to proceed with caution.

So, Will Anyone Care?

The e-store buyer remains skeptical: What happens if consumers don’t notice the green bar, or don’t understand what it represents — or don’t even care?

This could happen, but not likely. A number of factors point to EV SSL certificates growing like wildfire in popularity over the next year.

Microsoft is making security the cornerstone of its Windows Vista release and the software behemoth is sure to focus time, technology, and a big budget to energetically educate the marketplace about the value of “going green.”

And so they won’t miss the online retail boat that now adds up to $100 billion in consumer sales, the vast majority of Web browsers will soon adopt the new certification and recognize EV SSL certificates, displaying the characteristic “green means it’s okay to buy” sign.Yes, it’s true that Microsoft designed IE7 to be EV SSL-sensitive only when it’s on the new Windows Vista, as opposed to, now near-ubiquitous Windows XP, but since Windows Vista was just released, it will be quite a while before it is used everywhere. Microsoft’s somewhat cautious OS release approach, though, should not be a drag on the growth of EV SSL adoption because of the anticipated enterprising efforts of the certification authorities.

With each of the EV SSL certificates they sell, many leading information security providers are planning to offer a feature that will automatically and transparently update the root certificate used by the IE7 browser on Windows XP; recognizing and signaling the presence of an EV SSL certificate on a server.

Consumers have never been slow to take advantage of free upgrades from one browser release to another; IE7 on Windows XP should gain in popularity quickly making e-shoppers increasingly aware of the green bar.

Consumer Confidence

According to industry watchdog comScore Networks, online retail spending for 2006 reached $102 billion, an almost a 25% increase from the previous year. And the 2006 holiday seasonal e-commerce accounted for about a quarter of the annual total.

Online retailers are ecstatic about the recent holiday shopping season and the growing-by-leaps-and-bounds Web customers. Still, $100 billion is only seven percent of all retail revenues. There is much room for growth and EV SSL certificates will go a long way in ensuring that phishers don’t kill the consumer confidence required for e-retail to continue its climb.

Bogus phishing Web sites, meant to steal your personal information, have increased exponentially in number, in recent years. According to IT research group Gartner, the number of phishing e-mail recipients doubled in the last two years to over $100 million, and the average consumer financial loss from phishing jumped in one year almost 500%.

And it’s widely acknowledged that one of the techniques increasingly employed by endlessly innovative cyber criminals is the misuse of digital certificates. Even with certificate authority safeguards, inadequate certificates, based solely on computer-generated processes that do no more than verify domain ownership, are readily available.

Armed with an inferior certificate, phishers, or pharmers — when malicious code is deviously installed on a PC to misdirect you to a fraudulent Internet site — are better able to spoof a Web browser into believing that an imitation URL address is valid, ultimately leading to credit card scams and identity theft.

It will be increasingly clear to everyone running a consumer-oriented e-business, that to survive the adoption of EV SSL certificates is essential to the future of their business.

Johan Sys is a senior director of Managed Identities at Cybertrust.