Are Extended Validation SSL certificates effective?
Every time an SSL cert comes up for renewal, my provider tries to sell me an Extended Validation certificate. The big difference is the green address bar in FireFox and Safari for quadruple or quintuple the cost.
Supposedly, the benefit (and reason for the green bar not shown in IE8 or Chrome) is deeper authentication of the requesting party. But I can detect little actual difference between Verisign's own minimum requirements (from their CPS) for all SSL certs (section 3.2.2):
At a minimum VeriSign shall:
• Determine that the organization exists by using at least one third party identity proofing service or database, or alternatively, organizational documentation issued by or filed with the applicable government agency or competent authority that confirms the existence of the organization,• Confirm by telephone, confirmatory postal mail, or comparable procedure to the Certificate Applicant certain information about the organization, that the organization has authorized the Certificate Application, and that the person submitting the Certificate Application on behalf of the Certificate Applicant is authorized to do so. When a certificate includes the name of an individual as an authorized representative of the Organization, the employment of that individual and his/her authority to act on behalf of the Organization shall also be confirmed.
Where a domain name or e-mail address is included in the certificate VeriSign authenticates the Organization’s right to use that domain name either as a fully qualified Domain name or an e-mail domain.
and EV requirements (Appendix F14C):
(C) Business Entities
To verify a Business Entity’s legal existence and identity VeriSign verifies that the Entity is engaged in business under the name submitted by Applicant in the Application. VeriSign verifies that the Applicant’s formal legal name as recognized by the Registration Authority in Applicant’s Jurisdiction of Registration matches Applicant’s name in the EV Certificate Request. VeriSign records the specific unique Registration Number assigned to Applicant by the Registration Agency in Applicant’s Jurisdiction of Registration. Where the Registration Agency does not assign a Registration Number, the Applicant’s date of Registration will be recorded. In addition, the identity of a Principal Individual associated with the Business Entity is verified in accordance with Section 14(b)(4) of the EV Guidelines.
So:
1) Do EV certificates actually inspire more trust among users?
2) Do EV certificates actually help fight phshing/fraud/any of the things vendors list?
3) If they actually performed the minimum requirement, doesn't that include all the EV stuff? What am I missing?
Six years on, and it's time to rewrite this sucker from the perspective of 2015 (and a lot more personal experience in the world of commercial CAs).
First off, as far as EV certificates inspiring trust, the answer is (still) "no, not really". Independent studies of EV certificates just don't show a meaningful impact amongst typical consumers. Peter Gutmann's book, Engineering Security, is largely an 800 page rant against CAs in general, and it has a lot of references to the (in)effectiveness of EV certificates in influencing safe user behaviour throughout the text, with the highest density in the section entitled "EV Certificates: PKI-me-harder" starting on page 72.
On the other side of the argument, the parties who have the most to gain from proving EV certificate efficacy (the CAs who sell them) can't come up with any compelling evidence, either. The "best" collection of EV case studies I could dig up is amusingly long on unfounded assertion and woefully short on any sort of useful data.
As for whether EV certificates actually do anything useful to fight fraud, I'll go back to Peter Gutmann again:
The introduction [...] of so-called high-assurance or extended validation (EV) certificates [...] is simply a case of rounding up twice the usual number of suspects — presumably somebody’s going to be impressed by it, but the effect on phishing is minimal since it’s not fixing any problem that the phishers are exploiting.
To put it another way, that you know, for sure and certain, that the site you're communicating with is "Honest Achmed's Drug Bazaar and Fishmarket, Inc", of Tashkent, Uzbekistan, doesn't say anything about whether Achmed is going to do the bunk with your credit card details and private information. An EV certificate also doesn't say anything useful about the security practices of the organisation: while ashleymadison.com
uses a wildcard DV cert, it is (and was) entirely capable of getting an EV certificate, and everyone's private peccadillos would still be downloadable if they'd been running an EV cert all along.
Finally, for what it's worth, EV certificates are issued after (some) more validation beyond what is done for domain validated (DV) or organisation validated (OV) certs. What is being validated isn't actually all that important, but you can be reasonably sure that someone has gone to some reasonable amount of trouble to make the organisation named in the green bar appear to exist.
Most of the answers here have both sides covered, but I figured I'd chime in (eventhough, as I work for Thawte, I may also be taken "with a grain of salt"). EV SSL works splendidly to solve a very serious problem -- verifying the identity of websites and encrypting connections between them, which cuts down on phishing significantly -- but oddly enough most discussions are less about whether or not it works and more about whether or not people will notice. And due to skepticism surrounding consumers' recognition of the technology, some sites have opted out of EV -- despite the fact that most IT professionals are arguing that widespread encryption will be the only way to maintain a secure internet, and when a good deal of what EV SSL does in the first place is to educate consumers so they can discern between fake and real sites (the green url bar, etc). So it's a catch 22. Consumers will never learn unless they get their hands on technology like EV, and learn that stuff like padlocks and CAs really aren't all that inaccessible to the layman, but since they aren't educated enough to tell the difference at the moment EV is avoided as a money trap. This is a shame, because studies have shown that EV can reduce the amount of abandoned shopping carts and other obstacles to conversion (not only in the VeriSign study but in other independent 3rd party studies). And, of course, everyone needs some kind of encryption.
My advice: most companies offer a 30-day trial of EV or some such. Try it out and maybe run a few casual surveys with your customers to see how they respond. That should give you a better sense of whether or not it's a good investment for you personally.
The idea was that Certificate Authorities would spend the money you paid for a certificate to make you you actually were who you said they were, by checking official records and fun things like that. They soon realised they could make more money if they didn't do as many checks, and many just check that you can receive email to the domain you're creating a certificate for. Then a bunch of people got together and said "well, you're not really doing the job you were meant to be doing" and the CAs came back and said "well why don't we create EV certificates, which we'll do more rigorous checks on, like we were originally meant to", so now you have standard certificates and EV certificates, which have had more rigorous identity checks performed. The browser makes it clear that these new certificates are different, presumably so people who've bought an EV certificate can feel they've got something worthwhile for their extra money.
But in the end, most people don't have a clue about security or encryption and as long as they see a padlock they assume they're secure. Yes an EV certificate is better, but most people wouldn't know the difference.
For technical people, I think you can consider normal certificates good for encryption only, and EV as encryption with better authentication.