This piece, part two in Practical Ecommerce’s series on the new Extended Validation SSL certificates, looks at the challenges still to face for consumer-wide adoption of EV SSL. Part one of the series is an interview with an EV SSL expert at Comodo, an EV SSL issuer.
Online shoppers know to look for a yellow padlock icon to verify that their shopping information is encrypted. Now, when customers want to know if they’re shopping at the real merchant—and not some spoof site—they also can look for a green bar.
This green bar is part of a new process called Extended Validation Secure Socket Layer Certification, a ramped up version of the SSL Certificate that made encryption of customer-input pages mainstream. It began appearing Jan. 22 as shading behind EV SSL-certified URLs shown in most browser windows. It provides a visual clue that the site has gone through additional checks to confirm its legal ecommerce status. However, adoption faces several challenges.
Just as Firefox and Internet Explorer 7 or, in beta version, Internet Explorer 8 are the only browsers able to interpret 256-bit encryption, the green bar also has browser adaptability issues. As the first ecommerce site to try VeriSign’s EV SSL, during its beta phase in 2006, Overstock.com’s customers couldn’t see the green bar portion until January 2008. That’s when Microsoft programmed Internet Explorer 7 and IE8 to “go green,” says VeriSign VP of SSL Marketing Tim Callan.
Firefox 3 and Opera 9.5 browsers followed in June. The green bar still doesn’t show in such major browsers as Safari, some Windows XP systems, non-updated versions of Internet Explorer 6 and FireFox 2, and earlier versions of Opera, Firefox, Mozilla and other browsers.
“Root store” upgrades
There are 28 “Certificate Authorities” that can issue EV SSL certificates. Every issuer has its own programming for showing customers the green bar. So while one issuer may show the green bar on the customer’s first visit to an EV SSL site, another may not show it until the second visit or until after the browser window has been refreshed.
With VeriSign’s EV SSL, for example, “XP clients don’t automatically have the extended roots in them to see EV SSL,” Callan says. “Those have to be seeded with the root first.” Users must first visit a VeriSign Secured Seal site. The Secured Seal triggers an Extended Validation upgrader. Once the upgrade occurs, “the next time you visit that site, or any EV SSL site certified by VeriSign, you’ll see the green bar,” Callan says.
Contrast that with Comodo’s root store upgrade process. Comodo was the second issuer of EV SSL certifications, releasing theirs just behind VeriSign. “Our solution is called the Auto Enhancer, and it installs with the SSL certificate itself,” says Bill Fallon, Comodo’s VP of marketing. “All that an e-merchant or the person maintaining their website needs to do is install this auto-enhancer code along with their SSL certificate. From that point on, any site visitor coming to their site will automatically see the green address bar—from the very first time they come to their site.”
The green bar functionality also requires code, called a beacon, in the website itself. Most EV SSL issuers require that the code be placed on every encrypted page of a site. Others require it only on the home page for site-wide acceptance. Comodo has its own process. “We’re the only site in the industry that works with one quick install code on the server,” Fallon says. “It installs and maintains just like an SSL certificate, which means it doesn’t require any changes to individual web pages.”
E-merchants can get an SSL Certificate in less than two days; that’s not the case with EV SSL Certificates. It takes several weeks for an e-merchant to pass through the EV SSL process, largely due to the additional fact checking required.
Meanwhile, EV SSL costs start at around $350 per year, which is at least a couple hundred dollars more per year than standard SSL. This budgetary sticking point is making it difficult for e-merchants to fully sign on to a functionality that isn’t yet available to every potential customer.
Schooling the shopper
Finally, there’s the challenge of “consumer education around understanding why the browsers are turning green,” says Callan at VeriSign. This education is taking several forms. First, customers downloading an EV compatible browser will get some sort of explanation on the green bar. Second, information is being passed to consumers by the e-merchants using EV SSL certificates. “They’ll say something like ‘We’ve chosen to use EV SSL; here’s what it looks like and here’s what it means,’” Callan says.
Meanwhile, VeriSign itself is undergoing a “pretty extensive” consumer marketing campaign, buying billions of impressions this year to explain that “when you see the green address bar,” Callan says, “here’s what it means.”