In the third and final blog in our recent SSL series, we are taking a closer look EV SSL, or extended validation certificates, including who might benefit from using them and if they are worth the additional cost.
In earlier blog posts, we discussed the coming industry changes that are making encryption a requirement for all webpages, starting with Google Chrome’s “Not Secure” warnings that will be rolling out this July across all HTTP webpages. It’s important to state that all SSL certificates encrypt information the same way, and therefore meet the HTTPS requirements of browsers - but, encryption is only part of the online confidence equation that organizations need to be thinking about.
“Phishers are Loving HTTPS”
Irrespective of the website you have - be it an informational, ecommerce, media or government- it’s essential visitors know they can trust you given the escalation of phishing and spoofing on the web. A 2017 survey conducted by the The Canadian Securities Administrators (CSA) found that phishing, and impersonation via fraudulent emails, were the first and third most common cyber incidents experienced by Canadian businesses in a survey of over 1000 firms.
With more than 1.4 million new phishing sites being created each month, visitors are justified in acting cautiously and being skeptical of unfamiliar websites. Another complicating factor is that Domain Validated (DV) SSL, or domain validation certificates, are increasingly being used by cybercriminals on phishing websites because the validation requirements are so minimal - namely, the SSL purchaser must confirm that they own and/or control the domain by responding to an email or uploading a file to his website. While DV certificates verify control over a domain, they do nothing to verify who the owner actually is and therefore appear trustworthy to browsers.
For those donning their skeptic hat and wondering just how prevalent HTTPS encrypted phishing sites really are, we’ve got some real numbers for you. According to PhishLabs, a phishing research and defense firm, 24-percent of phishing websites were using HTTPS by the end of 2017, and trending up quickly. Looking back at the same time the previous year, the number was only 3-percent.
To quote Wired magazine, “Phishers are loving HTTPS” - and they’re doing a great job of keeping up with the encrypt the web movement to be distinguishable.
A Higher Level of Assurance
The major problem with DV SSL is the automated provisioning process is simply insufficient when it comes to ensuring who’s really at the other end of the connection. Yes, DV SSL is great for making the web safer by encrypting information that’s shared between users and applications, but the barrier of proof around who you’re dealing with is very low. From a technical perspective, your web browser is just as happy to let you log into a phishing website that’s encrypted as it is a legitimate one, provided it meets HTTPS requirements and has slipped through the browsers’ helpful but imperfect screening mechanisms.
The important advantage of Extended Validation (EV) SSL is that they solve the need for both encryption and trust. Like DV and OV SSL certs, they activate the HTTPS and the green padlock icon in all browsers to encrypt the connection; but, in order to obtain an EV certificate, the purchaser has to undergo a much more extensive validation process that includes:
- Verification that the requesting party has legal rights to use the domain
- Verification that the requesting party has authorized the issuance of the certificate
- Verification of the requesting party's legal, operational and physical existence
- Verification that the requesting party's identity matches the submitted official documentation
Part of the review is conducted manually, with review by Certification Authority (CA) validation staff to ensure legitimacy. EV’s identity review is restricted to entities which have been registered with a government agency or to an actual government agency. If the entity hasn’t been registered, they can’t apply for an EV certificate. Also, only CA’s that pass an independent audit are allowed to offer EV SSL certificates. While the process in more rigorous and lengthy - typically taking between 2 and 7 days, depending on whether your company information is up-to-date and how quickly they can supply the documentation - it is the gold standard for independent, third-party validation of an organization’s web presence, satisfying concerns around legitimacy and encouraging visitor confidence.
Compelling Visual Cues
In addition to a higher level of assurance, the other main advantages of EV SSL are its prominent visual cues, including:
- Green address bar
- Company name next to the padlock to the left of the address bar
- Company information included in the certificate details
These features have value because they are impossible to fake; also, criminals are less likely to jump through the hoops required to get an EV certificate, for instance setting up a fake company. The green bar is a well recognized trust indicator, both reassuring and familiar to our web surfing psyches from frequently encountering it alongside authoritative brands and trusted service providers such as The Globe and Mail, Shoppers Drug Mart, Apple, PayPal and Twitter, as just a sampling. In a consumer survey conducted by Survata Consumer Research, 42% of respondents indicated that they felt safe on a website when they saw the green bar in use. Quick visual cues, such as the green bar and recognizable website seals, convey to customers that you care about their security and may help to boost conversions among some customers.
What About Conversion Rates
EV certificates are also the only SSL solution that likely provides ROI, in addition to compliance with security standards. I say “likely” here because we like to be evidence-based, and to be fair, the studies attributing increased conversions to EV are all sponsored by Certification Authorities, albeit run by independent research consultancies. This doesn't mean the data isn’t solid, it just warrants transparency.
In a surveys commissioned by Thwate and Verisign, websites that implemented EV SSL realized conversion rate increases ranging from 16.9% to 30% depending on the website and industry. But what’s maybe even more compelling is the volume of positive reviews about EV SSL submitted to forums like Quora, WebhostingTalk, and others by IT professionals, webmasters, cybersecurity specialists and marketers who are working hard to create good, secure user experiences and grow their company’s bottom line. Overwhelmingly, they believe EV to be worth the modest additional cost for the following reasons:
- Establishes trust and legitimacy in their web presence
- Aligns their security measures with those used by prominent brands and financial institutions
- Increases confidence to complete online transactions
Is EV SSL a reasonable expenditure for your business or organization? Ultimately, we say yes. Every visitor to your website is unique, and for some, the visual cues or higher level of assurance provided by EV might be the additional feature that gives them confidence in your online identity or sways them to convert. For the difference of a couple hundred dollars per year, at most, isn’t it worth investing in something that could increase visitor confidence, and perhaps even improve conversions? If you would pay as much (or more) for a couple hours of web dev, a boosted social post, to have one quality blog post written, then the cost is reasonable. By taking the few extra steps to get EV SSL, you’re telling customers you care about their privacy and safety, creating a level of trust that’s worth the money for most organizations.
Choosing the right SSL certificate for your needs can be tricky for some businesses, so we’re here to help you sort through your options and help you get it installed on your website. Give us a call to get the help you need so your website is in the clear come July!