December 26, 2020
So, with Troy Hunt proclaiming that EV is dead, is this actually true or just one-man (well probably more than just Mr Hunt) campaign?
As a recap / piece of history, EV (Extended Validation) Certification, is basically the top level for SSL certificates (all known as the “gold standard”) which requires the Certificate Authority (CA) to run in depth identity checks on organisations or individuals, applying for certificates. It is a “Level Up” from OV (Organisation Validation) which does still require validation, and for the CA to verify the actual business and individual requesting, and list the organizations name in the certificate (providing trust the company and website are reputable).
Then just to close off, under OV is DV (Domain Validation) which is the basic level of SSL validation, and recommend when security is not so much of a concern!
What are the main benefits of EV and OV
From looking into this, there are definitely two camps; the EV supports (mostly resellers!) and the “EV is dead” campaigners, so taking the main arguments from both of these
Extended validation or EV certificates provide the maximum amount of trust to visitors, and require more checks from the Certificate Authority (CA) to validate. As per guidelines set by the CA/Browser Forum, extra documentation must be provided to issue an EV certificate. The EV lists the company name in the certificate itself (as with OV) however, a fully validated EV certificate will also show the name of the company or organization in the address bar itself and the address bar is displayed in green (well, still in a few browsers). This provides a visual way for viewers can know that extra steps were taken to validate the web site they are visiting (which is why most large companies and organizations choose EV certificates).
Allegedly, although more expensive, EV pays for itself, as the more people trust your site, the more they are likely to do business with you. Also stated that its is proven, to help increase conversion rates on websites (lower bounce rates / shopping cart abandonments, that can recoup the extra cost).
Some advantages of opting for EV SSL Certificates:
1. Identity Verification – The EV SSL Certificate allows you to know that the website you are visiting indeed belongs to the company by the verified name (this was the main feature of the green bar).
2. Certificate Transparency – Another benefit for using EV SSL Certificates is, it provides Certificate Transparency which means any certificate issued by a provider is required to be logged into the public record for anyone to see. The purpose of this ensures that no one else can obtain a certificate on your domain name without notifications.
3. Revocation Checking – If the private key or certificate gets compromised in anyway, to reduce the risk of this, you can mark your certificate as revoked with the aim of stopping a browser from accepting it. However with basic SSL Certificates revocation, checking isn’t mandatory and so sometimes this will not work (where as with EV SSL Certificates, the browser must do the revocation check).
OV SSL Certificate Benefits
Generally, EV SSL Certificates are opposed to OV ones as they are a lot more expensive, and due to the nature of the certificates, they are a lot harder to obtain, as the validation process takes a lot more effort and time.
Although stated as having superior encryption, actually when it comes to encryption there is no difference. All SSL certificates (DV, OV, EV) regardless of the price and checks, support the same enterprise level 2048-bit data encryption.
As well as encryption, the next main advantage stated with EV certificates, is the added security (validations) but with the changes with the browsers, this will not be as obvious, and apart from checking the padlock (which EV and OV both have) how often does the normal user / customer, check further into the certificate to check it out (especially when most ‘techies’ admit to not doing it).
It is also said that EV certificates can encourage poor hygiene, because it discourages regular key and certificate rotation, with people trying to avoid the longer and more painful process, resulting in people going for the longest possible lifetime on their certs (rather than encouraging lower certificate lifetimes).
So in summary:
EV certificates do provide more security and assurance, but not due to the encryption used, but as they have further validation checks made against them, and can be checked by users to ensure these companies are who they say they are.
There used to be obvious signs to show web sites that used to show which were using EV, as opposed to OV, but most browsers are changing this, and really just showing which ones are using EV or OV, as opposed to DV, requiring users to do extra checks (which in the main, people will not do) meaning for user experience, this is mostly a level playing field.
Then something not mentioned by either (and sorry to bring up in a summary) although quite important in an ever-changing infrastructure, DevOps, etc is Certificate auto-renewal, as it’s important to automated as much as possible, which can be done with DV (and why many companies are apparently ditching EV).
So although it’s quite obvious the effort of some CA’s to push for pricey EV certificates, the fact is that some of the biggest companies today stopped using EV certificates in favour of OV or DV certificates, such as (without EV, at time of writing) are; Amazon, eBay, Netflix 3. eBay, Facebook, Twitter and LinkedIn.
In my opinion, and trying not to sit on the fence (which could be easy to do) if the changes to browsers keep happening to make it harder to tell is a website is EV (and especially if DV can become more automated) I believe the future for EV is bleak, so perhaps not dead as yet, but just hanging on, on a life support machine!