Provide site visitors visual cues that indicate your site is legitimate with Extended Validation (EV) SSL available from VeriSign. Read this paper to learn how to increase site visitor confidence in your site. Learn more today!
W H I T E PA P E R
Maximizing Site Visitor Trust Using
Extended Validation SSL W H I T E PA P E R
C O N T E N T S + The Erosion of SSL's Identity Promise 3
+ Introducing Identity Visitors Can Trust 4Internet Explorer 7: Green for Go 4
+ How Extended Validation Works 7
+ EV Upgrader Extends Protection to Windows XP Clients 8W H I T E PA P E R
Web business faces a crisis in con?dence. Trust in site security is declining, and inincreasing numbers consumers are scaling back their online transactions-or opting outentirely. According to Forrester Research on December 8, 2005, an astonishing 24percent of Internet users reported that they would not be shopping online that holidayseason because they did not feel safe. A full 61 percent reported that they had at leastreduced online purchases for the same reason. While this phenomenon has been maskedby the overall increase in online activities like banking, trading securities, and ?ling taxes,the fact remains that many online retail businesses are less effective than they could beand are leaving money on the table.Starting early in 2007, online companies will be able to de?nitively demonstrate theiridentity to customers-and customers will be able to con?rm this identity before trustingsites. This opportunity comes as a result of the greatest development in the Web's securebackbone in over 10 years. It is the introduction of a new kind of SSL Certi?cate, the?rst since the technology's origin more than a decade ago.These new certi?cates are called Extended Validation (EV) SSL Certi?cates, and theyrepresent more than a year's effort by the CA/Browser Forum, an industry consortium ofleading Web browser manufacturers and SSL certi?cation authorities (CAs) such asVeriSign. Starting late in 2006, members of the CA/Browser Forum have made these newcerti?cates available for the bene?t of Web businesses and site visitors alike. Thecerti?cates can facilitate online commerce in all its forms by increasing visitor con?dencein legitimate sites and greatly reducing the effectiveness of phishing attacks.
The Erosion of SSL's
Identity Promise
Ask your typical online shopper what the little lock icon on her Internet browser means,and she will tell you it means that transmissions are encrypted and therefore protectedfrom spying eyes. While that's technically correct, it's not all that the original pioneers ine-commerce intended it to signify.The original purpose of SSL Certi?cates was to validate the identity of a site when a userconnected to it. That's because although it is dif?cult to mimic physically the identity ofa business, it is quite easy to mimic one online. The industry understood this principle asearly as 1995 and therefore invented SSL Certi?cates. The creators intended thecerti?cate to vouch for site identity and therefore protect online shoppers from scams. Inthe beginning the identity promise of a standard SSL Certi?cate was enough. Today,however, it is not. The widespread use of the Web by laypeople with no special level ofcomputer education-combined with the low visibility of the lock icon on popularbrowsers-have made it possible for phishing to become the phenomenon we see today.Despite original intentions, traditional SSL Certi?cates aren't the solution. While someCAs do a very good job of authenticating identity, others do very little or employ easilyfooled practices. A site can even use a self-signed SSL Certi?cate with no identityauthentication whatsoever. In the second half of 2005 online users began to see large-scale phishing attacks that used low-authentication, "soft-target" SSL Certi?cates tofurther the illusion of legitimacy.
3W H I T E PA P E R
Introducing Identity Visitors
Can Trust
For SSL Certi?cates to reclaim their authority as a source of site identity information forvisitors, industry leaders needed to shore up two weaknesses in the existing system. First,the industry needed a new category of SSL Certi?cate that carries a high level of promiseregarding a site owner's identity. Then it needed a browser interface that makes it easy forusers to see that identity when it's known-and recognize when it isn't. These newcerti?cates are the EV SSL Certi?cates mentioned previously. Some users also refer tothem by their working name, which is High Assurance (HA) SSL Certi?cates. Thesediffer from generic "high-assurance certi?cates," which do not imply EV status... [download for more]
