Extended Validation SSL:
Introducing Identity Visitors Can Trust
For SSL Certificates to reclaim their authority as a source of site identity information for visitors, industry leaders needed to shore up two weaknesses in the existing system. First, the industry needed a new category of SSL Certificate that carries a high level of promise regarding a site owner’s identity. Then it needed a browser interface that makes it easy for users to see that identity when it’s known—and recognize when it isn’t. These new certificates are the EV SSL Certificates mentioned previously. Some users also refer to them by their working name, which is High Assurance (HA) SSL Certificates. These differ from generic “high-assurance certificates,” which do not imply EV status.
The CA/Browser Forum, consisting of over 20 leading Web browser manufacturers, SSL Certificate providers, and WebTrust auditors, worked over a year in cooperation with the American Bar Association Information Security Committee (ABA-ISC) to create a standardized authentication process that every CA must follow to issue EV certificates. Such CAs must undergo independent audits to confirm compliance with the specified process. The CA/Browser Forum built this process on existing business verification practices that have been successful over years of widespread use in authenticating millions of SSL Certificates.
Once a CA completes authentication according to this process, it may issue a certificate with EV status. This certificate operates exactly like a traditional SSL Certificate. In fact, browsers not built to recognize EV certificates (including Windows® Internet Explorer® 6, Mozilla® Firefox® 2.0, and their predecessors) behave exactly as they would with a non- EV certificate. New EV-compatible browsers, however, display these certificates in highly visible and more informative ways. The first such browser is Internet Explorer 7 (IE7).
+ Internet Explorer 7: Green for Go
IE7 has added several interface conventions to enhance identification of site ownership. Most obvious is the “green address bar.” When an IE7 browser accesses a page with a valid EV certificate, the background of the address bar turns green. This simple change indicates very visibly that a site has undergone high-level identity authentication. The choice of color also employs demonstrated interface conventions. In the vocabulary of desktop interface design the color green signifies “safe to proceed,” just as red signifies danger or a warning.
Consumer research indicates that these interface conventions are highly effective. In the fall of 2006, VeriSign conducted usage and attitude research with online shoppers across the United States. VeriSign's findings included the following:
- 100 percent of participants noticed whether or not a site showed the green Extended Validation address bar.
- 100 percent of participants were more likely to share their credit card information with sites that showed the green address bar.
- 98 percent of participants preferred to shop on sites that showed the green Extended Validation address bar.
- 80 percent of participants reported that they would hesitate to shop at a site that previously showed the green Extended Validation address bar and that no longer does so.
IE7 also contains an additional field to the right of the address bar, called the Security Status Bar. This field appears when the browser can offer information that may be useful to site visitors in evaluating sites. On pages with EV SSL Certificates, the Security Status Bar displays the organization name. This text string comes directly from the certificate, where the CA placed it. Because the CA verified this name and the browser displays the name in its own interface, a visitor can rely on the accuracy of this string.
In the example of the hypothetical online bank called BizyBank, the institution's name appears directly in the browser interface. End consumers can verify the site’s identity by looking for the green address bar and the name BizyBank, which together present a significant new obstacle to phishers seeking to take over BizyBank accounts. Today a phisher need only duplicate the original site and find a convincing URL to be up and running. If BizyBank’s customers learn to seek the company’s name and a green address bar before providing confidential information, then a would-be phisher will not be able to mimic this interface.
