Interview: Comodo Exec On Extended Validation SSL Certificates
Like its SSL precursor, EV SSL certification encrypts customer inputted information and marks the page with a yellow padlock icon. Unlike SSL, this new form of certification comes with much more vetting and a bonus “green bar” in the URL area of most web browsers that clearly indicates a merchant has gone through the appropriate EV SSL application, and acceptance, process.
In the wake of CNN Money’s coverage of the widespread availability of a new breed of SSL certificates, Practical Ecommerce takes its own look at the Extended Validation SSL Certificates. We sat down with Bill Fallon, VP of marketing for the Comodo Group, one of 28 Certification Authorities providing EV SSL and a member of the original group that created it.
PeC: What is EV SSL?
Fallon: The really important thing about EV certificates is that they’re standardized across the industry, which is new for SSL. We now have validation that everyone has to follow, with results audited by accounting firms every year.
The standards are rigorous too. I stop short of saying it’s impossible for some fraudulent business to obtain one, but we think we’ve struck the balance where it’s something a legitimate business should be able to attain without too much trouble, while making it pretty difficult for a fraudster.
PeC: How does a site qualify?
Fallon: The whole idea behind EV SSL gets into the vetting and validation of a business. To start, the website must have a confirmable physical existence and business presence. That’s really the heart of it.
There are certain types of SSL certificates all you have to do is show you have title to the domain with an automated look-up. That’s a big loophole for scam artists. With EV certificates, we go through a multi-stage verification process with the site where we verify its articles of incorporation, whether they’re listed in their state government database as an incorporated entity or on Dun & Bradstreet, and other checks.
In cases with a very small enterprise, the CA/B Forum, a vender-neutral discussion of EV certificates, decided rather than penalize them we needed to come up with accommodations … So sole-proprietorships can qualify, but you need an external verifier to attest to the fact that you have a legitimate business entity at a specific location. You could get an attorney, which we’d verify as an attorney in good standing in that state, to send something on their letterhead verifying your incorporation, physical address and such..
Hopefully we’ve struck a balance.
PeC: How did EV SSL come about?
Fallon: The EV standard was introduced at the very end of 2006—developed through a consortium of major Certification Authorities (including Comodo) and browser software companies (like Microsoft and Mozilla). This standardizing organization is the CA/Browser Forum. It meets to review guidelines regularly, to stay in step with what’s going on around the Internet.
PeC: Why EV SSL?
Fallon: It was really an internal industry response to trust issues related to SSL certifications. For us it was about getting together to fix the problem, and making it much more difficult for fraudulent entities to obtain these kinds of credentials—getting really down into the heart of trust.
If someone sees a ‘padlock’—or we would say now a ‘green address bar’—on the site, people will see that as legitimate. Prior to EV, there were no standards for how a site was validated so you couldn’t really know, as a consumer, if the background check was rigorous or not. Everyone that gets an EV certificate has to go through a standard and audited process. So the consumer question of ‘Is it ABCTennisRacket.com, or someone setting up a scam site?’ is what EV certificates are there to answer.
PeC: The forum rolled out Extended Validation SSL Guidelines in June 2007. How many sites have added it so far?
Fallon: I would say it’s across the industry into the tens of thousands of sites that have adopted this, and growing. SSL certificates are subscription based, in that you have a term for your certification. What we’re finding at Comodo, and I assume this is the case at the other certification authorities, is that when e-merchants’ SSL certificates come up for renewal, they will upgrade to EV. (Renewal is typically one year to three years for an SSL certificate.)
PeC: Who’s getting EV SSL?
Fallon: They’ll get it if they’re an e-merchant or someone collecting sensitive information on the Internet. Banks and credit unions also are going for EV certificates — sites that are likely to be impersonated.
If you just needed an SSL certificate for an email server, it may not make sense to get an EV certificate. But if you have people logging in with a user name and password, or where people are exchanging financial information or payment information, then that’s the time to give your customers the confidence that this is really the place I thought it was—so they don’t feel like they’re walking through a bad neighborhood to get to the store they want to shop at.
That’s the whole core behind it. And it’s catching on.