Website Identity Verification: How Browsers Protect You
Understanding Extended Validation Certificates
It may have come to your attention that some secure websites display the organization's name directly within your browser's address bar. This visual cue signifies the presence of an extended validation (EV) certificate.
An EV certificate confirms that a thorough verification process of the website’s identity has been successfully completed.
How EV Certificates Differ from Standard SSL
It’s important to understand that EV certificates do not enhance the encryption level of a website. The primary distinction lies in the level of identity assurance they provide.
Traditional SSL certificates typically involve minimal verification of the website owner’s identity. This contrasts sharply with the rigorous checks associated with EV certificates.
The Verification Process
Obtaining an EV certificate requires a comprehensive validation procedure. This includes verifying the legal, physical, and operational existence of the organization.
Certificate authorities conduct these checks to ensure the legitimacy of the requesting entity before issuing the certificate.
Benefits of EV Certificates
- Enhanced Trust: The visible display of the organization’s name builds greater confidence among website visitors.
- Reduced Phishing: EV certificates make it more difficult for malicious actors to impersonate legitimate websites.
- Identity Assurance: Visitors can be more certain they are interacting with the intended organization.
Essentially, an EV certificate serves as a strong indicator of a website’s authenticity, going beyond the basic security provided by standard SSL.
How Browsers Present Extended Validation Certificates
When visiting a secure website lacking an extended validation (EV) certificate, Firefox indicates the site is operated by an “unknown” entity.
Conversely, Chrome doesn’t exhibit a distinct display, simply confirming that the website’s identity has been validated by the issuing certificate authority.
However, when a website employs an extended validation certificate, Firefox explicitly identifies the operating organization. In this instance, the dialog confirms VeriSign’s verification of a connection to the genuine PayPal website, managed by PayPal, Inc.
Display in Chrome
With an EV certificate in place, Chrome showcases the organization’s name directly within the address bar. The accompanying information dialog further details that PayPal’s identity was verified by VeriSign through the use of an extended validation certificate.
This visual cue provides users with increased assurance regarding the authenticity of the website they are interacting with.
The certificate helps to protect against potential impersonation attempts.
The Challenges Posed by SSL Certificates
In the past, certificate authorities undertook thorough identity verification procedures prior to issuing digital certificates. This process involved confirming a website’s business registration, contacting the listed phone number, and ensuring the legitimacy of the operation aligned with the website’s representation.
Over time, certificate authorities introduced “domain-only” certificates as a more economical option. These certificates required less effort from the authority, focusing solely on confirming domain ownership.
This shift was quickly exploited by malicious actors. For instance, a phisher could register a domain like paypall.com and acquire a domain-only certificate. Users accessing paypall.com would then see the familiar lock icon in their browser, creating a misleading impression of security.
Critically, browsers did not differentiate between domain-only certificates and those issued after more comprehensive identity checks. Consequently, public confidence in the reliability of certificate authorities has diminished.
A notable example of this decline occurred in 2011 when the Electronic Frontier Foundation discovered over 2000 certificates issued for “localhost” – a designation always pointing to the user’s own computer. (Source) Such certificates, if compromised, could facilitate man-in-the-middle attacks.
The Implications of Weak Verification
- Reduced user trust in website security.
- Increased vulnerability to phishing attacks.
- Potential for exploitation through misissued certificates.
The ease with which these certificates could be obtained highlighted a significant weakness in the system. More robust verification methods became necessary to restore confidence.
The initial intention of domain-only certificates was to provide a faster and cheaper solution. However, the security trade-offs proved substantial, necessitating a reevaluation of certificate issuance protocols.
Distinguishing Features of Extended Validation Certificates
An EV certificate signifies that a certificate authority has rigorously confirmed the legitimacy of the website's operating organization. For instance, any attempt to fraudulently obtain an EV certificate for a domain mimicking paypall.com would be rejected.
Extended Validation certificates differ from standard SSL certificates in that only certificate authorities that have successfully undergone an independent audit are permitted to issue them. The Certification Authority/Browser Forum (CA/Browser Forum), a collaborative body comprising certificate authorities and browser developers like Mozilla, Google, Apple, and Microsoft, establishes stringent guidelines.
Guidelines for Issuing EV Certificates
These guidelines are designed to prevent certificate authorities from lowering their verification standards to offer certificates at reduced prices. The core principle is to ensure a consistently high level of security.
Specifically, the regulations require certificate authorities to validate that the requesting organization is legally registered, possesses ownership of the domain, and that the individual submitting the request is authorized to act on the organization’s behalf.
This verification process includes scrutinizing official government databases, directly contacting the domain owner, and confirming the requester’s employment status with the organization itself.
Comparison with Domain-Only Verification
Conversely, a domain-only certificate verification may only entail a cursory review of the domain’s WHOIS records to confirm consistency of registrant information. The issuance of certificates for domains such as “localhost” suggests that some authorities may not even perform this basic level of verification.
EV certificates represent a deliberate effort to rebuild public confidence in certificate authorities and re-establish their function as crucial safeguards against online impersonation.
