With Google Chrome's HTTPS deadline only weeks away, we're seeing an uptick in SSL purchases as website owners hurry to get ahead of the coming changes. For many, however, purchasing an SSL certificate comes with a number of questions and considerations - one of the most common being: "What's the difference between validations levels?"
SSL certificates serve two critical functions: encryption and authentication. More often than not, people focus largely on encryption. This is particularly true right now, with website owners seeking to avoid those pesky "Not Secure" warnings from browsers. However, the less considered authentication piece of the equation is also hugely important - especially if you are a business or ecommerce website.
Most people know that SSL certificates encrypt the connection between your visitors and servers to ensure that data in transit - things like credit card numbers, usernames, and passwords - stay private and untampered. When it comes to enabling encryption and confirming the domain owner, Domain Validation (DV), Organization Validation (OV) and Extended Validation (EV) SSL Certificates are the technically the same. However, visitors today also increasingly want to know who they’re really connecting to online — and if they’re legitimate. This is where the authentication piece comes in. Understanding how the various certificate options differ on this point and choosing the best one for your business can help to increase trust in your online presence.
Don't Underestimate the Importance of Trust
Doing business on today’s fraud-filled web means putting your visitors’ fears at ease. According to a recent global survey conducted by Ipsos and the Centre for International Governance Innovation (CIGI), 49% of people said they are increasingly concerned about their privacy online, and lack of trust is the main issue keeping them from shopping online.
With new disclosures about privacy breaches coming to on a seemingly daily basis, and stories of identity theft becoming commonplace, it's no surprise that consumers are getting savvier and demanding proof that businesses are who they say before they’re willing to share personal or transactional information. With this in mind, it just makes good business sense to follow the lead of well-respected companies and select a higher-validation SSL Certificate that offers more extensive authentication.
It’s Not a Level Playing Field
For the uninitiated, there are three levels of authentication available in SSL Certificates. The higher the certificate level, the more in-depth the authentication, or validation process - and the more meaning and value it has for you and your visitors. Let’s take a deeper dive into each certificate type's validation requirements.
Domain Validation (DV)
To implement a DV SSL Certificate, you must simply validate that you own the domain it will be associated with. In the past, this was most commonly done by responding to an email that's sent to the domain registrant's email address, but today verification increasingly entails proving you have control of the domain by putting a unique DNS record in place, or uploading a unique file to your website.
To explain by way of analogy, DV is like ordering pizza for home delivery. When placing the order, the pizza place always asks for the phone number, and then often calls back to make sure the person answering is the same person who ordered. The pizza guy doesn't ask for ID or any proof of who exactly is on the phone placing the order, but rather is satisfied that the order is legitimate because it came from a verified phone number.
So, while basic indicators like HTTPS and the padlock icon confirm there’s encrypted communication in place, your website visitors lack additional validation of who’s really on the other side.
Best Fits: If you host a blog, are a one-person entity, business or org that’s already well-known and trusted by your visitors, or don’t need more than encryption, DV might be the way to go.
Issuance Time: Can often be done in just minutes.
Organization Validation (OV)
For these mid-range certificates, you do have to go so far as proving your company or organization is legitimate by providing up-to-date documentation. OV certificates come with a clickable site seal so that visitors can see your organization details and feel confident it’s actually you on the other end of the connection.
To use our pizza analogy again, with OV the pizza place would also ask for ID while on the phone, and then actually verify the ID by calling the Department of Motor Vehicles or whomever, thereby authenticating not only the accuracy of the phone number placing the order, but also that the identity of the person placing the order is legitimate.
Best Fits: OV SSL Certificates should be the bare minimum for any e-commerce site and anyone looking to prove their business and website is legitimate and trustworthy.
Issuance Time: Typically between 1 to 3 days, occasionally longer.
Extended Validation (EV)
This is the highest level of identity assurance available in an SSL certificate and requires a thorough vetting process that includes validation of your domain control and organizational, physical and operational existence. Some of the process is done manually to ensure legitimacy, with a contract sent to the requesting party at the end of the validation process to be signed by an authorized person. Only Certification Authorities who pass an independent audit are allowed to offer EV SSL certificates, therefore they are not available from all CA's.
This longer and more rigorous issuance process comes with major payoffs. Only EV SSL certs display a registered company name and country code within a green address bar - features that are impossible to fake. As a universally recognized symbol of reputability on the web, the green bar reassuring and entrenched in our internet-psyches from encountering it all day long on the websites of authoritative and familiar brands, such as Twitter, PayPal, Apple, Overstock, Shoppers Drug Mart, The Globe and Mail, and the list goes on. The positive association builds trust and confidence, qualities that in turn are proven to boost conversion rates. Plus, it's more affordable than you think - you can get an EV SSL certificate for a single domain for just a few hundred dollars a year.
Best Fits: EV is recommended for national brands, brands that want to maximize confidence and sales conversions, and business looking to show visitors that their security is of the utmost importance. It's also a great way to differentiate yourself from the competition.
Issuance Time: It can take approximately 3-10 days to complete the vetting process.
The Choice is Yours
Your website has a lot of heavy lifting to do to win the hearts, minds and purchases of online visitors. If it doesn’t make them feel confident about engaging with you, you’ll be at a disadvantage. Your SSL certificate is an integral piece of establishing and maintaining trust online, so knowing what they do, and don’t, communicate to your visitors is important to your online success. Choose wisely.