Can you tell the difference between the two images below (beyond the fact that they're different websites)?
Do you see where Twitter has 'Twitter, Inc [US]' next to the green padlock and Google only has 'Secure'? That means Twitter is using an EV or Extended Validation certificate, whereas Google is only using a DV or Domain Validation certificate. I've only vaguely noticed that certain HTTPS sites have worded other than 'Secure' next to the green padlock and it wasn't until I read Troy Hunt's blog, On The (Perceived) Value of EV Certs, Commercial CAs, Phishing and Let's Encrypt, that I knew what that meant.
I won't rehash everything he said because he covered everything really well. You should read it if you have the time. However, there's a quote from his blog posts that sums everything up perfectly.
"Whilst DV certs give us assurance that we're communicating with the domain we think we are, it's EV certs which give us confidence we're communicating with the organisation we think we are."
Domain Validation certificates require the certificate requester to prove that they own the site they're acquiring the certificate for, which isn't difficult to do. The purpose of an EV cert is to provide an extra layer of confidence. Someone could easily acquire a DV cert for a phishing site, but an EV certificate requires proof that they are the organization they're claiming to be.In fact, a human auditor has to perform an independent review of a site before an EV cert can be issued. I cannot just buy a domain, run a Paypal phishing site, and acquire an EV cert that says I'm Paypal.
What does this mean to you? Maybe nothing. It was mentioned that we, security professionals, should begin to change the way we condition our users. So that instead of inherently trusting the green padlock, we train users to recognize the difference between EV and DV certificates and change behaviors based on that. That isn't necessarily plausible at the moment since many top 100 Alexa sites forego EV certs (i.e. Google). But it is possible to begin to pay attention when we see an EV cert for a HTTPS site and change behaviors when we no longer see that cert.
For example, Bank of America has an EV cert and I've always subconsciously known that because it was the first time I wondered why the organization name was next to the green padlock. If that were to suddenly change one day, I'd immediately become suspicious.
So, will you begin to look out for these two types of certs now? Did you know about EV and DV certs before or is this your first time hearing about it too?
Top comments (9)
Thanks for sharing this. This is an important topic for any developer since it's often - in my case as a consultant, at least - us who are responsible for applying certificates to servers. Knowing and understanding the differences between DV and EV certs will help us keep our clients better informed.
What I wonder is if browsers ditched the "Secure" moniker in favor of something more accurate like "Encrypted" or "Private", would that cause the average user to wonder? I suspect it wouldn't for most but perhaps it's a small step that could aid in further teaching an uninformed user. After all, the simple lock icon helped train those users over time to believe they were safe, which is sort of how we got to this discussion.
There is definitely a more interesting conversation to be had around how user experience (icons,colors, etc.) trains and conditions users and what can be done to make sure that the conditioning is correct as it pertains to perception of privacy vs security.
We use Fastly's shared SAN certificate at the moment. It's not something I've yet taken the time to research and contemplate the potential issues associated with this. If anyone wants to share some initial thoughts on that, I'm happy to listen.
The big question is, can you trust the CA. The simple answer is: you cannot.
A lot of high profile CAs have been kicked out the major browsers and OS provided root certificates. Prime cause: the CAs did not properly validate the certificates they gave out. This includes EV certificates.
HTTPS is more about preventing third parties monitoring and highjacking your connection than providing authenticity.
I just stumbled upon a nice video that explains why certificates exists, how they can be bypassed and how a company made Google certificates or Lenovo laptops were compromised a few years ago.
Man in the Middle Attacks & Superfish - Computerphile
As a developer: This is really cool and makes a lot of sense. I learned something new.
As a user: EV certs piss me off because they take up more room. And if it is green it is green, I scan past the name, I don't think users will ever learn the difference. But they will notice the EV takes up more room.
Great and clear article.
Thanks!
I use Let's Encrypt, and I certainly appreciate being able to have a certificate without breaking my ($0) budget!
Very informative article, as well as an excellent link to more info. :)
This was good to know.