Are Extended Validation SSL certificates effective?

Question

Every time an SSL cert comes up for renewal, my provider tries to sell me an Extended Validation certificate. The big difference is the green address bar in FireFox and Safari for quadruple or quintuple the cost.

Supposedly, the benefit (and reason for the green bar not shown in IE8 or Chrome) is deeper authentication of the requesting party. But I can detect little actual difference between Verisign's own minimum requirements (from their CPS) for all SSL certs (section 3.2.2):

At a minimum VeriSign shall:
• Determine that the organization exists by using at least one third party identity proofing service or database, or alternatively, organizational documentation issued by or filed with the applicable government agency or competent authority that confirms the existence of the organization,

• Confirm by telephone, confirmatory postal mail, or comparable procedure to the Certificate Applicant certain information about the organization, that the organization has authorized the Certificate Application, and that the person submitting the Certificate Application on behalf of the Certificate Applicant is authorized to do so. When a certificate includes the name of an individual as an authorized representative of the Organization, the employment of that individual and his/her authority to act on behalf of the Organization shall also be confirmed.

Where a domain name or e-mail address is included in the certificate VeriSign authenticates the Organization’s right to use that domain name either as a fully qualified Domain name or an e-mail domain.

and EV requirements (Appendix F14C):

(C) Business Entities
To verify a Business Entity’s legal existence and identity VeriSign verifies that the Entity is engaged in business under the name submitted by Applicant in the Application. VeriSign verifies that the Applicant’s formal legal name as recognized by the Registration Authority in Applicant’s Jurisdiction of Registration matches Applicant’s name in the EV Certificate Request. VeriSign records the specific unique Registration Number assigned to Applicant by the Registration Agency in Applicant’s Jurisdiction of Registration. Where the Registration Agency does not assign a Registration Number, the Applicant’s date of Registration will be recorded. In addition, the identity of a Principal Individual associated with the Business Entity is verified in accordance with Section 14(b)(4) of the EV Guidelines.

So:

1) Do EV certificates actually inspire more trust among users?

2) Do EV certificates actually help fight phshing/fraud/any of the things vendors list?

3) If they actually performed the minimum requirement, doesn't that include all the EV stuff? What am I missing?

Answer 1

Six years on, and it's time to rewrite this sucker from the perspective of 2015 (and a lot more personal experience in the world of commercial CAs).

First off, as far as EV certificates inspiring trust, the answer is (still) "no, not really". Independent studies of EV certificates just don't show a meaningful impact amongst typical consumers. Peter Gutmann's book, Engineering Security, is largely an 800 page rant against CAs in general, and it has a lot of references to the (in)effectiveness of EV certificates in influencing safe user behaviour throughout the text, with the highest density in the section entitled "EV Certificates: PKI-me-harder" starting on page 72.

On the other side of the argument, the parties who have the most to gain from proving EV certificate efficacy (the CAs who sell them) can't come up with any compelling evidence, either. The "best" collection of EV case studies I could dig up is amusingly long on unfounded assertion and woefully short on any sort of useful data.

As for whether EV certificates actually do anything useful to fight fraud, I'll go back to Peter Gutmann again:

The introduction [...] of so-called high-assurance or extended validation (EV) certificates [...] is simply a case of rounding up twice the usual number of suspects — presumably somebody’s going to be impressed by it, but the effect on phishing is minimal since it’s not fixing any problem that the phishers are exploiting.

To put it another way, that you know, for sure and certain, that the site you're communicating with is "Honest Achmed's Drug Bazaar and Fishmarket, Inc", of Tashkent, Uzbekistan, doesn't say anything about whether Achmed is going to do the bunk with your credit card details and private information. An EV certificate also doesn't say anything useful about the security practices of the organisation: while ashleymadison.com uses a wildcard DV cert, it is (and was) entirely capable of getting an EV certificate, and everyone's private peccadillos would still be downloadable if they'd been running an EV cert all along.

Finally, for what it's worth, EV certificates are issued after (some) more validation beyond what is done for domain validated (DV) or organisation validated (OV) certs. What is being validated isn't actually all that important, but you can be reasonably sure that someone has gone to some reasonable amount of trouble to make the organisation named in the green bar appear to exist.

Answer 2

No, Extended Validation (EV) TLS certificates aren't effective.

The consensus among independent security researchers is that EV certificates failed at protecting against phishing and fraud in a better way than standard certificates.

As a consequence, all major browser vendors removed special EV integration and visual indicators in the address bar, around 2019.

See for example the announcement from Google Chrome's team (document):

Through our own research as well as a survey of prior academic work, the Chrome Security UX team has determined that the EV UI does not protect users as intended (see Further Reading below). Users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed, as would be necessary for EV UI to provide meaningful protection. Further, the EV badge takes up valuable screen real estate, can present actively confusing company names in prominent UI, and interferes with Chrome's product direction towards neutral, rather than positive, display for secure connections.

Their further reading list summarizes and references several studies and is also worth a look.

Similar statement by Firefox:

A recent study by Thompson et al. shows that the display of the company name and country in the URL bar when the website is using an Extended Validation TLS certificate does not add any additional security parameters. One of the biggest downsides with this approach is that it requires the user to notice the absence of the EV indicator on a malicious site. Furthermore, it has been demonstrated that EV certificates with colliding entity names can be generated by choosing a different jurisdiction.

A summary of this development by Troy Hunt, an independent web security consultant: Extended Validation Certificates are (Really, Really) Dead, 2019 - which concludes with:

EV is now really, really dead. The claims that were made about it have been thoroughly debunked and the entire premise on which it was sold is about to disappear. So what does it mean for people who paid good money for EV certs that now won't look any different to DV? I know precisely what I'd do if I was sold something that didn't perform as advertised and became indistinguishable from free alternatives...

It is even not only that getting an EV certificate is just a waste of money, EV certificates may even facilitate additional phishing attacks by providing a false sense of security and trust:

Researcher Ian Carroll filed the necessary paperwork to incorporate a business called Stripe Inc. He then used the legal entity to apply for an EV certificate to authenticate the Web page https://stripe.ian.sh/. When viewed in the address bar, the page looks eerily similar to https://stripe.com/, the online payments service that also authenticates itself using an EV certificate issued to Stripe Inc.

(Ars Technica: Nope, this isn’t the HTTPS-validated Stripe website you think it is, 2017 (bleepingcomputer reporting on the same story))

So business names aren't necessarily unique and the extended validation and vetting some CAs promise isn't worth the paper it's printed on.

Another example that demonstrates extremely sloppy validation in EV certificates:

Why are there so many errors?

This seems crazy to me. As a security researcher with a little bit of interest in this field, I was able to find over 4,000 EV certificates that needed to be revoked, corrected and re-issued by the CA in question. Assuming an average cost of $250* per certificate, that's $1,000,000 worth of EV certificates that needed revoking.

(Scott Helme: Extended Validation not so... extended? How I revoked $1,000,000 worth of EV certificates!, 2019)

Also, before browsers removed prominent EV integration, besides studies showing EV indicators being ineffective guiding users, even high profile sites like Paypal were inconsistent in their EV certificate usage without any real consequences:

The entire value proposition put forward by the commercial CAs selling EV is that people will look for the indicator and trust the site so... it's pretty obvious that's not happening with PayPal.

(Troy Hunt: PayPal's Beautiful Demonstration of Extended Validation FUD, 2019)

Similar criticism, stated more generally:

On a serious note though, my biggest problem with EV certificates is that they 100% depend on the user to work. When we have phrases like "the user must look for the EV indicator in the address bar" or "the user should check the information is accurate", you can forget about it ever being effective. I'm not criticising users, I'm a user, we're unreliable! WE SHOULD NOT DEPEND ON THE USER.

(Scott Helme: If it looks like a duck, swims like a duck, and QWACs like a duck, then it's probably an EV Certificate, 2022)

According to that article, in early 2022, EV certificate numbers dropped to 10k or so (in the top 1e6), while they peaked at 25k or so in 2018, although the demand for certificates securing https likely increased very much in that time frame.

Answer 3

The idea was that Certificate Authorities would spend the money you paid for a certificate to make you you actually were who you said they were, by checking official records and fun things like that. They soon realised they could make more money if they didn't do as many checks, and many just check that you can receive email to the domain you're creating a certificate for. Then a bunch of people got together and said "well, you're not really doing the job you were meant to be doing" and the CAs came back and said "well why don't we create EV certificates, which we'll do more rigorous checks on, like we were originally meant to", so now you have standard certificates and EV certificates, which have had more rigorous identity checks performed. The browser makes it clear that these new certificates are different, presumably so people who've bought an EV certificate can feel they've got something worthwhile for their extra money.

But in the end, most people don't have a clue about security or encryption and as long as they see a padlock they assume they're secure. Yes an EV certificate is better, but most people wouldn't know the difference.

For technical people, I think you can consider normal certificates good for encryption only, and EV as encryption with better authentication.

Answer 4

I do not think anyone will ever consciously think to mention it to you, but we used to have a lot of customers who would ask us to create private listings on eBay for items because they felt safer doing business there. In reality we've been in business for 15+ years, are nearly the largest vendor in the world for our product, and yet, we have a specialized market and therefore not a lot of recognition with new customers.

The point of an EV is just so that consumers know you're not just some fly-by-night website put up by Joe Conman, but rather, that you're an actual business, doing business in a regular fashion, with known and registered location and identities. That's not a small deal for a lot of people.

Ultimately, if EV works, it'll be somewhat transparent, but it'll mean more people finish their purchases because they feel more secure (and rightfully so).

Answer 5

We purchased an EV cert. I've NEVER had anyone tell me they were glad we had it. I'd be willing to bet that the majority of internet users would enter all of their information on a non-secured site and wouldn't even notice if it was secure or not.

Answer 6

Well, hard to tell. Probably most users don't really understand the difference to regular certificates, though the green bar will usually be noticed, and some might get a feeling that it is "safer".

There is a study here: http://www.verisign.com/static/040655.pdf on the effects of EV certs on web users. It seems to have a noticeable effect in that study, e.g. 59% of users said they'd become suspicious if a site that used to have a green address bar stopped having one.

However, the study is commissioned by Verisign, so take it with a grain of salt.

I would say that for most people EV probably does not matter, but to those for whom it does, it will be a point in your favor. So if the cost is not prohibitive for you, get one.

Answer 7

Most of the answers here have both sides covered, but I figured I'd chime in (eventhough, as I work for Thawte, I may also be taken "with a grain of salt"). EV SSL works splendidly to solve a very serious problem -- verifying the identity of websites and encrypting connections between them, which cuts down on phishing significantly -- but oddly enough most discussions are less about whether or not it works and more about whether or not people will notice. And due to skepticism surrounding consumers' recognition of the technology, some sites have opted out of EV -- despite the fact that most IT professionals are arguing that widespread encryption will be the only way to maintain a secure internet, and when a good deal of what EV SSL does in the first place is to educate consumers so they can discern between fake and real sites (the green url bar, etc). So it's a catch 22. Consumers will never learn unless they get their hands on technology like EV, and learn that stuff like padlocks and CAs really aren't all that inaccessible to the layman, but since they aren't educated enough to tell the difference at the moment EV is avoided as a money trap. This is a shame, because studies have shown that EV can reduce the amount of abandoned shopping carts and other obstacles to conversion (not only in the VeriSign study but in other independent 3rd party studies). And, of course, everyone needs some kind of encryption.

My advice: most companies offer a 30-day trial of EV or some such. Try it out and maybe run a few casual surveys with your customers to see how they respond. That should give you a better sense of whether or not it's a good investment for you personally.