EV (Extended Validation) SSL vs Standard SSL Certificates
March 8, 2009 8:53 PM Subscribe
EV (Extended Validation) SSL vs Standard SSL Certificates
I would like to get an SSL certificate for my site to display and promote turst. I'm leaning towards an EV SSL even though they cost more expecially if I were to go with Verisign ($885/annum), I've done a little research and have found Digicert ($488/annum) to be much cheaper, technically they do exactly the same thing. What do you look for in an SSL? would a Digicert EV SSL satisfy you? Do you look for the SSL logo at the bottom of most sites when you plan on sending personal information?
I would like to get an SSL certificate for my site to display and promote turst. I'm leaning towards an EV SSL even though they cost more expecially if I were to go with Verisign ($885/annum), I've done a little research and have found Digicert ($488/annum) to be much cheaper, technically they do exactly the same thing. What do you look for in an SSL? would a Digicert EV SSL satisfy you? Do you look for the SSL logo at the bottom of most sites when you plan on sending personal information?
I look for the lock whenever I am about to access private info or purchase something. I really appreciate it when login screens are secure too, but I don't expect it.
I've set up plenty of SSL sites before for low-volume sellers (maybe 100-200 purchases/month tops), and personally unless I was punching in super-high security stuff I wouldn't bother about the absence of a green bar. To me unless you are serving up thousands of people it seems crazy to invest so much in your certificate. The only thing that really matters is whether the data is being encrypted or not, and whether or not your customer actually sees an alert box saying "We don't recognize this certificate". If you feel that you need the EV, get the cheapest EV cert that is recognized by the most browsers, because once you've taken car of the data-being-encrypted issue, really nothing matters other than appearances, and it's not like Verisign's bar will be any greener.
Some perspective? My bank's website doesn't use an EV cert. Still, I trust that they are who they say they are and that my info will be secure during transmission.
posted by Deathalicious at 10:38 PM on March 8, 2009
I've set up plenty of SSL sites before for low-volume sellers (maybe 100-200 purchases/month tops), and personally unless I was punching in super-high security stuff I wouldn't bother about the absence of a green bar. To me unless you are serving up thousands of people it seems crazy to invest so much in your certificate. The only thing that really matters is whether the data is being encrypted or not, and whether or not your customer actually sees an alert box saying "We don't recognize this certificate". If you feel that you need the EV, get the cheapest EV cert that is recognized by the most browsers, because once you've taken car of the data-being-encrypted issue, really nothing matters other than appearances, and it's not like Verisign's bar will be any greener.
Some perspective? My bank's website doesn't use an EV cert. Still, I trust that they are who they say they are and that my info will be secure during transmission.
posted by Deathalicious at 10:38 PM on March 8, 2009
I look for the lock whenever I am about to access private info or purchase something. I really appreciate it when login screens are secure too, but I don't expect it.
If at all possible, make your login screen secure; otherwise you're training your users to trust that untrusted pages' forms will post to a secure server, which is a bad thing to train users to believe.
What do you look for in an SSL?
Extended Validation is nice to have, but as a great many sites do not have EV certificates*, most users are happy enough dealing with sites without EV certificates.
Furthermore, as long as there are so many sites without EV certificates, it's difficult to train users to check for an EV certificate before entering their details. I mean, when I go to paypal.com it's SSL and I see 'paypal inc' in the url bar that's fine, but when I go to amazon and it's SSL but I don't see 'amazon inc' in the url bar, that's fine too. So if I went to www.paypa1.com and didn't see 'paypal inc' in the url bar, I would only know to be alarmed by the absence of 'paypal inc' in the url bar if I had memorised the fact Paypal has an EV certificate.
My point being: EV may never take off, due to the 1000% price premium for certificates, and therefore you might be paying that premium for 'trust' your users won't even notice. That said, if $300 is small change to your organisation, you could go for an EV certificate anyway.
*Which is understandable because it turns a $29.99 certificate into a $299.99 certificate.
posted by Mike1024 at 3:18 AM on March 9, 2009
If at all possible, make your login screen secure; otherwise you're training your users to trust that untrusted pages' forms will post to a secure server, which is a bad thing to train users to believe.
What do you look for in an SSL?
Extended Validation is nice to have, but as a great many sites do not have EV certificates*, most users are happy enough dealing with sites without EV certificates.
Furthermore, as long as there are so many sites without EV certificates, it's difficult to train users to check for an EV certificate before entering their details. I mean, when I go to paypal.com it's SSL and I see 'paypal inc' in the url bar that's fine, but when I go to amazon and it's SSL but I don't see 'amazon inc' in the url bar, that's fine too. So if I went to www.paypa1.com and didn't see 'paypal inc' in the url bar, I would only know to be alarmed by the absence of 'paypal inc' in the url bar if I had memorised the fact Paypal has an EV certificate.
My point being: EV may never take off, due to the 1000% price premium for certificates, and therefore you might be paying that premium for 'trust' your users won't even notice. That said, if $300 is small change to your organisation, you could go for an EV certificate anyway.
*Which is understandable because it turns a $29.99 certificate into a $299.99 certificate.
posted by Mike1024 at 3:18 AM on March 9, 2009
At this exact moment in time, it really seems like EV isn't worth the investment. Many, if not most banks utilize EV, but very few retailers do, including most of the biggest. I just don't think the adoption rate has been high enough to justify spending the extra money at this point. If every other site out there had EV, you might need to worry that customers would be scared by not seeing it. For now, at least, you'll almost certainly be okay without it. If you're concerned the tide might change, just re-up for one year and we can meet back here next March to reassess the climate.
Disclaimer: I am an Internet Retail Manager, but I IANYIRM.
posted by SpiffyRob at 7:44 AM on March 9, 2009
Disclaimer: I am an Internet Retail Manager, but I IANYIRM.
posted by SpiffyRob at 7:44 AM on March 9, 2009
You absolutely should. If the entry form isn't on an SSL page the user has absolutely no guarantee that their details are even being submitted to the real business.
To clarify, I would want a login for a bank to be SSL, I just don't care if it's something like MetaFilter (although I appreciate that they do use SSL for this).
As far as the second sentence: why? How on earth does having an SSL certificate guarantee that my submission is going where I expect it to? This might have been true 10 years ago when the criteria for proving your identity was part of the process, but now that there are SSL certificates that can be bought and "certified" within a few minutes without any human oversight I don't see how an SSL makes anything intrinsically more secure. It's like saying that locking your car guarantees that nothing will be stolen from it. It makes it harder for your average kleptomaniac to get a hold of your stuff, but if someone wants to steal something from your car, locking it is not a significant barrier to entry.
This is what really annoys me about FF3 and its certificate warning "feature".
Basically, this is how you deal with security on the web:
In my opinion, the only thing useful about SSL certificates is that they encrypt my information. I do not believe they confirm that the company is who they say they are, or that they are necessarily trustworthy even if they are who they say they are. I would say that online I am not stupid but I am perhaps more trusting than most people who are privacy or security enthusiasts. Personally, I think this is enough. I believe the reason my house hasn't been turned inside out and ransacked isn't because I keep my door locked; I believe it's because a) most people don't steal from others and b) the numbers game -- there's so many apartments out there to steal from that my 4th floor apartment in the middle of nowhere is going to be relatively untouched. I still lock my door, mind you, just like I would never punch in my credit card number in a site that didn't have an SSL.
Oh, and this is my favorite story: okay, so I set up a site once for a company that needed to secure its data. But for a long time, I had the hardest time getting them to realize that it was a bad idea for the data to be emailed to them from the website. It was a lucky thing that I was so adamant, too. I'm relatively certain there are plenty of web shops that wouldn't think anything of setting something like that up. It was only when I insisted that if they wanted it by email then the data would be sent to them as an encrypted, password-protected zip file that they realized it would be a lot easier to just access the data via the web.
posted by Deathalicious at 9:14 AM on March 9, 2009
To clarify, I would want a login for a bank to be SSL, I just don't care if it's something like MetaFilter (although I appreciate that they do use SSL for this).
As far as the second sentence: why? How on earth does having an SSL certificate guarantee that my submission is going where I expect it to? This might have been true 10 years ago when the criteria for proving your identity was part of the process, but now that there are SSL certificates that can be bought and "certified" within a few minutes without any human oversight I don't see how an SSL makes anything intrinsically more secure. It's like saying that locking your car guarantees that nothing will be stolen from it. It makes it harder for your average kleptomaniac to get a hold of your stuff, but if someone wants to steal something from your car, locking it is not a significant barrier to entry.
This is what really annoys me about FF3 and its certificate warning "feature".
Basically, this is how you deal with security on the web:
- Make sure you're on the real website for the company/organization you want. Generally, searching for the company via Google rather than following a link is a good way to verify this.
- Then, and this is important: you must simply trust that their website has not been hacked.
In my opinion, the only thing useful about SSL certificates is that they encrypt my information. I do not believe they confirm that the company is who they say they are, or that they are necessarily trustworthy even if they are who they say they are. I would say that online I am not stupid but I am perhaps more trusting than most people who are privacy or security enthusiasts. Personally, I think this is enough. I believe the reason my house hasn't been turned inside out and ransacked isn't because I keep my door locked; I believe it's because a) most people don't steal from others and b) the numbers game -- there's so many apartments out there to steal from that my 4th floor apartment in the middle of nowhere is going to be relatively untouched. I still lock my door, mind you, just like I would never punch in my credit card number in a site that didn't have an SSL.
Oh, and this is my favorite story: okay, so I set up a site once for a company that needed to secure its data. But for a long time, I had the hardest time getting them to realize that it was a bad idea for the data to be emailed to them from the website. It was a lucky thing that I was so adamant, too. I'm relatively certain there are plenty of web shops that wouldn't think anything of setting something like that up. It was only when I insisted that if they wanted it by email then the data would be sent to them as an encrypted, password-protected zip file that they realized it would be a lot easier to just access the data via the web.
posted by Deathalicious at 9:14 AM on March 9, 2009
I do not believe they confirm that the company is who they say they are, or that they are necessarily trustworthy even if they are who they say they are.
exactamundo. you get three levels of verification:
Standard: the person who requested the certificate has verified ownership of the root domain in the certificate
Corporate Verification: the company listed on the certificate has been verified in good standing
EV: the company listed on the certificate has been verified in good standing and a lawyer or CPA reverified the company's existence.
No SSL is going to say that a person is trustworthy, just that they can jump through an appropriate amount of hoops to meet the CA's requirements. I can be a scammy bastard, go get an LLC or even just an FBN, and then get my SSL and go.
Caveat emptor.
posted by phredgreen at 11:47 AM on March 9, 2009
exactamundo. you get three levels of verification:
Standard: the person who requested the certificate has verified ownership of the root domain in the certificate
Corporate Verification: the company listed on the certificate has been verified in good standing
EV: the company listed on the certificate has been verified in good standing and a lawyer or CPA reverified the company's existence.
No SSL is going to say that a person is trustworthy, just that they can jump through an appropriate amount of hoops to meet the CA's requirements. I can be a scammy bastard, go get an LLC or even just an FBN, and then get my SSL and go.
Caveat emptor.
posted by phredgreen at 11:47 AM on March 9, 2009
As far as the second sentence: why? How on earth does having an SSL certificate guarantee that my submission is going where I expect it to?
Under certain conditions, you can type www.metafilter.com into your brower's address bar, and end communicating with a server other than the Metafilter server.
For example, when you're connected to the WiFi at a dodgy coffee shop or internet cafe, it's possible for the owners of the access point to mess with the domain name resolution so that, when you resolve www.metafilter.com, instead of pointing you to the correct IP address (174.132.172.58), it points you to some other IP address - perhaps with a server showing the same pages as the normal metafilter server, but stealing your password if/when you log in.
Basic SSL certificates verify that the person receiving the certificate legitimately owns the domain. So if you're communicating with www.metafilter.com over an SSL-encrypted connection encrypted with a valid certificate, it is guaranteed that you are communicating with a server owned by the owner of the domain www.metafilter.com.
Admittedly, there are any number of possible security issues that SSL doesn't attempt to address, but what it does do is verify that the server you're communicating with is owned by the owner of the domain you've asked for.
posted by Mike1024 at 3:27 PM on March 9, 2009
Under certain conditions, you can type www.metafilter.com into your brower's address bar, and end communicating with a server other than the Metafilter server.
For example, when you're connected to the WiFi at a dodgy coffee shop or internet cafe, it's possible for the owners of the access point to mess with the domain name resolution so that, when you resolve www.metafilter.com, instead of pointing you to the correct IP address (174.132.172.58), it points you to some other IP address - perhaps with a server showing the same pages as the normal metafilter server, but stealing your password if/when you log in.
Basic SSL certificates verify that the person receiving the certificate legitimately owns the domain. So if you're communicating with www.metafilter.com over an SSL-encrypted connection encrypted with a valid certificate, it is guaranteed that you are communicating with a server owned by the owner of the domain www.metafilter.com.
Admittedly, there are any number of possible security issues that SSL doesn't attempt to address, but what it does do is verify that the server you're communicating with is owned by the owner of the domain you've asked for.
posted by Mike1024 at 3:27 PM on March 9, 2009
« Older Program Transfer/Licensing Question | I'd rather not have to wait for the ESPN Classic... Newer »
This thread is closed to new comments.
Most SSLs are going to do the same thing on the backend: encrypt the data moving between your server and the end user's browser/device. The different levels of certificates are more about what gets published on the issued certificate.
This means that the more you pay, the more warm fuzzies you can convey to your end users.
What you're doing with the site is key. I see people get EVs and even corporate validation certs for mailservers and VPNs, which is silly, considering that those certs will never see the light of day.
On the other hand, if you're trying to convey trust, the green bar and indicators in IE7 and FF3 are about as good as it gets, and for people who don't know alot about the web to begin with, a green address bar is going to be much warmer and fuzzier than a yellow or white one.
As far as the CA, your average end user won't care whether it came from verisign or geotrust or comodo or godaddy or digicert or whomever else, only that the lock is displayed and that the address bar changes to reflect the encryption. You will find that there's a bit more brand recognition if you choose to display the CA's site seal on your webpage, but that's about it.
If you can find a deal, do a little homework to understand what is necessary for issuance (EV is a little complicated), and then go for it.
Feel free to memail me if you have any other general questions.
posted by phredgreen at 9:09 PM on March 8, 2009