EV (Extended Validation) SSL vs Standard SSL Certificates
March 8, 2009 8:53 PM   Subscribe

I look for the lock whenever I am about to access private info or purchase something. I really appreciate it when login screens are secure too, but I don't expect it.

I've set up plenty of SSL sites before for low-volume sellers (maybe 100-200 purchases/month tops), and personally unless I was punching in super-high security stuff I wouldn't bother about the absence of a green bar. To me unless you are serving up thousands of people it seems crazy to invest so much in your certificate. The only thing that really matters is whether the data is being encrypted or not, and whether or not your customer actually sees an alert box saying "We don't recognize this certificate". If you feel that you need the EV, get the cheapest EV cert that is recognized by the most browsers, because once you've taken car of the data-being-encrypted issue, really nothing matters other than appearances, and it's not like Verisign's bar will be any greener.

Some perspective? My bank's website doesn't use an EV cert. Still, I trust that they are who they say they are and that my info will be secure during transmission.
posted by Deathalicious at 10:38 PM on March 8

I look for the lock whenever I am about to access private info or purchase something. I really appreciate it when login screens are secure too, but I don't expect it.

If at all possible, make your login screen secure; otherwise you're training your users to trust that untrusted pages' forms will post to a secure server, which is a bad thing to train users to believe.

What do you look for in an SSL?

Extended Validation is nice to have, but as a great many sites do not have EV certificates*, most users are happy enough dealing with sites without EV certificates.

Furthermore, as long as there are so many sites without EV certificates, it's difficult to train users to check for an EV certificate before entering their details. I mean, when I go to paypal.com it's SSL and I see 'paypal inc' in the url bar that's fine, but when I go to amazon and it's SSL but I don't see 'amazon inc' in the url bar, that's fine too. So if I went to www.paypa1.com and didn't see 'paypal inc' in the url bar, I would only know to be alarmed by the absence of 'paypal inc' in the url bar if I had memorised the fact Paypal has an EV certificate.

My point being: EV may never take off, due to the 1000% price premium for certificates, and therefore you might be paying that premium for 'trust' your users won't even notice. That said, if $300 is small change to your organisation, you could go for an EV certificate anyway.

*Which is understandable because it turns a $29.99 certificate into a $299.99 certificate.
posted by Mike1024 at 3:18 AM on March 9

I look for the lock whenever I am about to access private info or purchase something. I really appreciate it when login screens are secure too, but I don't expect it.

You absolutely should. If the entry form isn't on an SSL page the user has absolutely no guarantee that their details are even being submitted to the real business. You absolutely must put the form on an SSL page. My bank gets this wrong, so I enter fake usernames/passwords on the first form, which then redirects me to the secure form from their site, and that's where I'll enter my real login/password.
posted by odinsdream at 7:23 AM on March 9

At this exact moment in time, it really seems like EV isn't worth the investment. Many, if not most banks utilize EV, but very few retailers do, including most of the biggest. I just don't think the adoption rate has been high enough to justify spending the extra money at this point. If every other site out there had EV, you might need to worry that customers would be scared by not seeing it. For now, at least, you'll almost certainly be okay without it. If you're concerned the tide might change, just re-up for one year and we can meet back here next March to reassess the climate.

Disclaimer: I am an Internet Retail Manager, but I IANYIRM.
posted by SpiffyRob at 7:44 AM on March 9

You absolutely should. If the entry form isn't on an SSL page the user has absolutely no guarantee that their details are even being submitted to the real business.

To clarify, I would want a login for a bank to be SSL, I just don't care if it's something like MetaFilter (although I appreciate that they do use SSL for this).

As far as the second sentence: why? How on earth does having an SSL certificate guarantee that my submission is going where I expect it to? This might have been true 10 years ago when the criteria for proving your identity was part of the process, but now that there are SSL certificates that can be bought and "certified" within a few minutes without any human oversight I don't see how an SSL makes anything intrinsically more secure. It's like saying that locking your car guarantees that nothing will be stolen from it. It makes it harder for your average kleptomaniac to get a hold of your stuff, but if someone wants to steal something from your car, locking it is not a significant barrier to entry.

This is what really annoys me about FF3 and its certificate warning "feature".

Basically, this is how you deal with security on the web:

1. Make sure you're on the real website for the company/organization you want. Generally, searching for the company via Google rather than following a link is a good way to verify this.
2. Then, and this is important: you must simply trust that their website has not been hacked.

SSL certificates are the icing on the cake of securing your data. They make sure that the data is secure during, in my opinion, the least likely stage of data interception: while it is being sent as a packet. Sure, it is possible to intercept these packets. Yes, it is good for them to be encrypted. But you know what? It's many, many times more likely that the web application has an accidental backdoor, or has a stupid vulnerability (careless uses of fopen come to mind), or they sell off old hard drives without wiping them first, or someone in the company decides to steal the information. Or at the other end...someone tears a credit card application in half, leaves it in the trash, and someone else tapes it together and mails it in to the company with their address and mobile phone number.

In my opinion, the only thing useful about SSL certificates is that they encrypt my information. I do not believe they confirm that the company is who they say they are, or that they are necessarily trustworthy even if they are who they say they are. I would say that online I am not stupid but I am perhaps more trusting than most people who are privacy or security enthusiasts. Personally, I think this is enough. I believe the reason my house hasn't been turned inside out and ransacked isn't because I keep my door locked; I believe it's because a) most people don't steal from others and b) the numbers game -- there's so many apartments out there to steal from that my 4th floor apartment in the middle of nowhere is going to be relatively untouched. I still lock my door, mind you, just like I would never punch in my credit card number in a site that didn't have an SSL.

Oh, and this is my favorite story: okay, so I set up a site once for a company that needed to secure its data. But for a long time, I had the hardest time getting them to realize that it was a bad idea for the data to be emailed to them from the website. It was a lucky thing that I was so adamant, too. I'm relatively certain there are plenty of web shops that wouldn't think anything of setting something like that up. It was only when I insisted that if they wanted it by email then the data would be sent to them as an encrypted, password-protected zip file that they realized it would be a lot easier to just access the data via the web.
posted by Deathalicious at 9:14 AM on March 9

why? How on earth does having an SSL certificate guarantee that my submission is going where I expect it to?

It doesn't, exactly. It guarantees that it's going where the business wants it to. Let me be more clear. When you load the page for my bank, BB&T, it's delivered over HTTP, and contains the login form which starts with:

<form action="https://online.bbandt.com/auth/pwd.tb" method="post" id="loginForm" name="loginForm" onsubmit="return submitOLBLogin();">

Since the transmission containing this form was HTTP there is no guarantee that the code in bold was not modified before it reached my browser in the same manner as this kind of trick.

The attack would work by altering the HTTP stream delivered to my browser and changing the form action to any other page. In fact, it could even be redirected to a secure page with a valid certificate and an official-sounding domain name, like secureonlineprovider.com. It could then forward any of my interactions back to the real BB&T so that the entire thing was seamless with the exception of the URL being different, and the attacker knowing my username and password. At no time would it require the user to accept any SSL warnings.

If the scenario had started in HTTPS, the content is guaranteed unmodified in-transit to my browser, so I can trust that the form action is whatever BB&T intended it to be.
posted by odinsdream at 10:13 AM on March 9 [1 favorite]

I do not believe they confirm that the company is who they say they are, or that they are necessarily trustworthy even if they are who they say they are.

exactamundo. you get three levels of verification:

Standard: the person who requested the certificate has verified ownership of the root domain in the certificate

Corporate Verification: the company listed on the certificate has been verified in good standing

EV: the company listed on the certificate has been verified in good standing and a lawyer or CPA reverified the company's existence.

No SSL is going to say that a person is trustworthy, just that they can jump through an appropriate amount of hoops to meet the CA's requirements. I can be a scammy bastard, go get an LLC or even just an FBN, and then get my SSL and go.

Caveat emptor.
posted by phredgreen at 11:47 AM on March 9

As far as the second sentence: why? How on earth does having an SSL certificate guarantee that my submission is going where I expect it to?

Under certain conditions, you can type www.metafilter.com into your brower's address bar, and end communicating with a server other than the Metafilter server.

For example, when you're connected to the WiFi at a dodgy coffee shop or internet cafe, it's possible for the owners of the access point to mess with the domain name resolution so that, when you resolve www.metafilter.com, instead of pointing you to the correct IP address (174.132.172.58), it points you to some other IP address - perhaps with a server showing the same pages as the normal metafilter server, but stealing your password if/when you log in.

Basic SSL certificates verify that the person receiving the certificate legitimately owns the domain. So if you're communicating with www.metafilter.com over an SSL-encrypted connection encrypted with a valid certificate, it is guaranteed that you are communicating with a server owned by the owner of the domain www.metafilter.com.

Admittedly, there are any number of possible security issues that SSL doesn't attempt to address, but what it does do is verify that the server you're communicating with is owned by the owner of the domain you've asked for.
posted by Mike1024 at 3:27 PM on March 9

« Older Can I transfer Photoshop/Illus...   |   Where can I watch an online re... Newer »