Practical Ecommerce

SSL Certificates: Extended Validation Worth the Cost?

Internet users interact with SSL certificates when they access a web page or transmit data over the web. These certificates help confirm the rightful owner of the site, and that payment and other information is encrypted and safely transmitted.

However, one size of SSL certificates does not fit all websites, and there are many different levels of identification validation that go along with a certificate.

Melih Abdulhayoglu, CEO of certificate authority Comodo, has made it his mission to increase standards of identity validation in the certification space. For the last three years, Abdulhayoglu has been instrumental in promoting the extended validation certificate, which uses a more rigid standard of verification than previous certificates.

Melih Abdulhayoglu

Melih Abdulhayoglu

“An SSL certificate serves two purposes: security and trust,” he said. “Security because it encrypts information and trust because it displays an icon or other indicator that shows the data is secure because it’s encrypted.”

Different Levels of SSL Certificates

Until recently, most basic certificates only verified that the person or business with the certificate owned the domain name displayed in the URL bar. But, Abdulhayoglu and other certificate authorities found this level of verification unsatisfactory, especially with ecommerce, when consumers are asked to trust a website’s encryption enough to enter their credit card information.

“People trust those yellow padlocks, and half of them are not verified,” he said. “The ones issued are domain validation, and they just check if you own a domain. You cannot have encryption without trust.”

In 2005, Abdulhayoglu brought together many of the important software companies in the certification field for the first meeting of what would become the Certification Authority Browser Forum, which developed the standards for the extended verification SSL certificate.

“This requires us to find you or your company in a credible third-party database,” Abdulhayoglu said. “Once we find you, it requires you to validate your telephone number. It’s a very high validation standard, and there is a certain rejection ratio. It’s good enough for ecommerce. With EV, you know who are transacting with.”

Site owners can purchase a simple, non-EV certificate by merely confirming that they own the domain name. The process is quick, done entirely online, and the certificate is typically ready to use minutes after the purchase.

But for EV certificates, most certification authorities require confirmation of other items, such as the business’s physical address, phone number, incorporation documents, and more. It can get complicated to confirm and the process can take days, not minutes.

For example, if a business uses one address for its domain registration, and then another one for its telephone number or mailing address, an EV application could be rejected. They must all match. Similarly, if a business has a domain name registered under one business name, but the telephone number is listed as another business, an EV application could be rejected.

Do Consumers Know the Difference?

Most browsers now recognize the EV certificate and display a green URL bar when it is present. Abdulhayoglu said 40,000 sites are now using this type of certificate. Yet many consumers still do not know the difference between an EV certificate and one with less stringent validation. Extended validation is currently not a requirement for ecommerce businesses.

Michael Stearns, CEO of ecommerce service provider MightyMerchant, said without consumer awareness of what extended validation means, there is little incentive for merchants to purchase these more expensive certificates. Stearns’ company works with merchants to develop ecommerce websites.

Michael Stearns

Michael Stearns

“For most site owners, I don’t think the problem is that the shopper gets to the checkout page and they start wondering whether the domain is legitimate or it is a fake,” Stearns said. “Most shoppers are primarily concerned to see the security lock. Certainly there are a lot of phishing schemes out there, but the same shopper who is going to fall for the phishing scheme is likely not going to be knowledgeable about EV certificates to fully understand what the added level of verification means.”

EV Certificates Cost More Money

The price on domain-verified SSL certificates varies and depends on whether they are single or mulitple domains, and on the level of encryption. For single domains with a one-year commitment, GoDaddy.com offers them from about $50 per year, VeriSign from $399 a year and GeoTrust from $249 a year. Abdulhayoglu’s company, Comodo, offers this type of certificate for $139 per year.

But EV certificates are more expensive, and merchants must weigh whether the extra expense is worth it. The price for EV certificates varies, depending on the number of domains, the term of committment and on the level of encryption and validation. GoDaddy.com charges roughly $100 per year for its EV SSL. Verisign prices its EV certificate from $995 per year, and GeoTrust’s EV SSL prices start at $899 per year. Comodo’s EV SSL certificates start at $359 per year.

Other Types of SSL Certificates

There are also more subtle types of certificates intended for site owners with more specific needs. Abdulhayoglu said there is a different variation called a multi-domain extended validation certificate, applying the extended validation standards to multiple domain names hosted on the same server. With this certificate, each domain name is validated individually.

Businesses with more than one hostname on the same domain name (server1.example.com, server2.example.com, etc.) can secure them all under a wildcard certificate, named for the “wildcard” asterisk used as the server name. The “*” is used as a substitute for all hostnames names occurring left of the main domain.

For site owners that use Microsoft’s MS Exchange or Office Communications Server, the Unified Communications Certificate meets their certification needs and is supported by these programs. Many different certification companies offer this certificate.

Extend Validation, or Not

PayPal's green URL bar, for extended validation, as seen in Firefox.

PayPal’s green URL bar, for extended validation, as seen in Firefox.

However, Abdulhayoglu maintained the most important distinction is between extended validation certificates and non-extended-validated ones. He said it is up to credit card companies to accept extended validation as a necessary part of PCI compliance.

“PCI is a great standard, and I think they should take it to the next level by putting EV as a minimum standard for anyone accepting payments online,” he said.

Although browsers already display when a site has extended validation, both Stearns and Abdulhayoglu said most consumers are not aware of the difference. While an extended validation requirement, if it could be enforced, would undoubtedly cut down on the number of successful phishing and scamming attempts, there remains little incentive for smaller merchants to pay more for more identity checks. Stearns said large ecommerce companies have different needs than smaller ones when it comes to certification.

“We have gone through [the EV] process for some of our customers,” Stearns said. “But without an understanding on the part of consumers, I do not see a strong value and justification for the extra cost for an EV certificate. For a large ecommerce vendor, I think it makes sense to get the EV cert, but for a smaller vendor on a limited budget, I don’t think it is the best place to spend money.”

Internet Explorer 7, Mozilla Firefox (through add-ons), Safari, Opera and Google Chrome all support extended validation by notifying their users, via the change of colors in the browser bars, when they visit an EV site. As such, most consumers have the ability to verify that they can trust a site before they enter sensitive information. Whether or not they demand this level of trust is a different matter.

Brendan Gibbons

Brendan Gibbons

Bio   •   RSS Feed


email-news-env

Sign up for our email newsletter

Comments ( 12 )

  1. Mike Masin September 16, 2010 Reply

    I agree that an EV cert isn’t needed by all sites but I believe that it’s an absolute requirement for sites that manage information that goes beyond payment data like banking, financial, and medical sites.

    eShoppers are getting more sophisticated about protecting themselves and they will begin to look for the EV bar especially if they’ve been burned. You have to earn your customer’s trust and having an EV cert raises your trust score.

  2. Michael Stearns September 16, 2010 Reply

    Mike, your point is well taken. EV is an absolute in certain industries.

    And, it will grow in importance as consumer awareness grows.

    But if I was advising a small Ecommerce site owner who was getting started, had a limited budget, and was asking how to best build trust on her site, I would put several other important steps ahead of purchasing the EV cert.

  3. Certs 4 Less September 16, 2010 Reply

    Mike & Michael,

    You both make very compelling arguments. I personally feel there are potentially two large issues with EV.

    The first being is that most consumers are still unaware of the green bar and what it really does. We find many merchants themselves are unaware of the green bar still and EV has been around for many years now. We also find it dis-heartening that many of the top 100 websites on the web still do not use EV certificates for their own websites.

    The second potential issue with EV is the lack of the bar maintaining its green status because of the inclusion if non-ssl traffic sources. Many websites may include http:// in their "src" fields of their coding and not realizing that linking to even one non-secure object will render the bar no longer green. In our opinion CDNs should all incorporate the ability to fetch content using an https:// link just as you would using a http:// link.

    The bottom line to us is more needs to be done to still educate the public on the differences and the importance of the green bar. The biggest benefit to this is helping to prevent phishing/malware sites so that you know by typing in the domain in the browser url you are in fact on the real website and not a phishing site that has a domain validated certificate to make it seem secure and the same site.

  4. Alex Mulin September 16, 2010 Reply

    Small business owners can benefit from using EV certs as well. Comodo provides a generous offer through their resellers – anyone who buys say Instant SSL can get free EV upgrade for 1 or 2 years. Thus SMBs can try out EV and see how it works for them.

  5. erikschubach September 21, 2010 Reply

    I am actually not a big fan of the EV certs. They provide no more encryption than a normal certificate and the "third party sources" required to get an EV are easily faked if you are scammer or phisher. I only see the EV as a "new way" for certain companies to cash in on a falsely perceived sense of security.

    The average consumer does not know the difference between a EV cert and a standard one. That will only change if the people that stand to profit from EV certs, advertise about it in order to boost their profits by making consumers think that shopping online is "dangerous" unless that address bar is green.

    I do not buy into the implication that the EV certs were created for anything but a profit center. If they truly created them to keep sites safer, they should offer the certs for free and form a non-profit foundation to support them.

    Just my two-cents worth.

  6. ClickSSL.com September 28, 2010 Reply

    I accede that an EV Cert absolutely isn’t bare by all sites but I accept that it is an complete necessary for sites that administer advice that goes above transaction abstracts like banking, financial, and medical sites.

    eShoppers are accepting more perverted about attention themselves and they will activate to attending for the EV bar abnormally if they accept been burned. You accept to acquire your customer’s trust and accepting an EV Cert absolutely raises your trust score.

    http://www.clickssl.com

  7. sslcertificates October 5, 2010 Reply

    Extended Validation (EV) SSL certificates are the way to go if you’re conducting business online. Ask yourself these questions:

    * Is consumer confidence important to me?
    * Is my business one that can be confused with Phishing sites?
    * Is my brand strong enough to create trust?
    * Can I afford an EV certificate if it helps me close 20 percent more business?

    If you have answered yes to all of the questions above, especially the last one, you should upgrade to an EV SSL certificate. It’s all about ROI.

    To test your opinion about EV SSL just check url of above comments and url of this comment you will find the difference.

    https://www.thesslstore.com

  8. erikschubach October 13, 2010 Reply

    @sslcertificates: Wow, you are a walking commercial for EV certs, makes me think you have a vested interest in them.

    EV certs cannot help you close 20 percent more business, I know this from firsthand experience on multiple sites for clients. The general public doesn’t know the difference between an EV and standard cert. The ONLY way you would be able to get a 20% increase in conversion is if you are blatantly advertising the difference on the site in question or misinforming the customers that an EV cert makes the site more secure.

  9. Jim Armstrong March 18, 2013 Reply

    To gain the customer’s trust and confidence EV certificate is the best choice. Green bar says about the website that “this is secure website and your credential is secure on this website". If you are online seller than you must need EV SSL certificate. Now a day’s most people are aware of the phishing and online scamming so all the web users want the best security on website where he can share their credential, banking details. So EV SSL certificate helps web users to secure their information and web owner to attract more users and improve the business.

  10. Brian Bell February 4, 2014 Reply

    I own a mental health clinic and my entire website is forced EVSSL. We don’t even process payments online. We just use the SSL for our contact form and employment applications. But our clients love seeing that green bar with our name in it. They tell me it inspires confidence from the moment they click in. Bottom line… if you don’t take EVSSL seriously, nobody is going to take your website seriously. EV is worth the time, money, and hassle.

  11. evOwl March 23, 2016 Reply

    Domain validated SSL is free thanks to https://letsencrypt.org

    EV SSL certificates are currently around $100 / year. I think most companies would consider that a small business expense.

    http://www.evOwl.com

  12. Paula P. Piccard October 4, 2016 Reply

    Great and useful information. Thank you!