Extended Validation Certificates: The Next Level of Security
Due to hit the market in early 2007, Extended Validation (EV) Certificates represent the first major update of the Secure Sockets Layer (SSL) Certificate validation process in a decade. They will require substantial changes to the methods by which the authenticity and identity of online businesses are confirmed, helping consumers determine which Web sites are legitimate businesses having verifiable credentials.
SSL Certificates perform two tasks:
- They assure customers that a Web site is legitimate and that the online business running the site is a licensed business.
- They encrypt data transferred between a customer's Web browser and the online business to help prevent theft of sensitive information such as credit-card numbers, account numbers, and passwords.
The certificates are issued and validation assured by third-party companies called Certificate Authorities (CA). When a properly issued SSL Certificate is present on a Web site, the Web browser shows a closed padlock and an "https" in front of the Web address.
Although many CAs already perform rigorous checks to validate the legitimacy of applicants' businesses, Extended Validation Certificates will standardize the validation system used by all CAs. Today, different CAs currently employ different types or levels of authentication when using non-EV certificates, creating vulnerabilities that have been exploited for identity theft, fraud, and other online crimes. By contrast, EV Certificate validation procedures will call for all CAs to require applicants to supply the same documentation and will verify legitimacy using a prescribed set of sources and methods.
As their name indicates, EV Certificates will demand that CAs perform a more extensive validation process. To obtain an EV Certificate, applicants will have to provide CAs with more information about their business and the CAs will have to verify the accuracy of the data through additional sources, including in some cases on-site visits to the applying business.
In addition to resolving the variations in validation procedures, EV Certificates will take advantage of the enhanced security features of the next generation of browser software. Consumers who visit EV-protected Web sites using next-generation browsers such as Microsoft's® Internet Explorer 7™, for example, will experience both higher levels of validation security and a new visual indicator that a site's identity has been validated and its security assured. Namely, the browser address window will turn green when a secure, officially validated connection has been established.
Like sites using other types of SSL Certificates, those with EV Certificates will continue to display the locked padlock icon and an "https" prefix to signal a secure connection.
Based on an industry-wide standard, EV Certificates were developed by a group called the CA/Browser Forum, consisting of the leading providers of Internet browsers and SSL Certificates, such as Network Solutions®. Eligibility for EV Certificates will initially be restricted to corporations, but EV Certificates are quickly expected to become the standard for online authentication and should, over the following months, be extended to additional types of online businesses.
For additional information, consult our FAQs or read on…