Understanding SSL Validation

July 21, 2014 | By Kevin Judge

Without SSL and SSL Certificates e-Commerce as we know it would not be possible. All SSL Certificates provide a secure connection between a browser and a server with all messages encrypted with Public Key Encryption (PKI) technology.

So, why are there so many product offers at very different prices? Innovative product offerings like wildcard SSL that secure multiple sub domains is one reason. Bundling of other services with SSL such as vulnerability scanning services such Hackerguardian is another.

However, the main difference in the cost of an SSL Certificate is the level of identity verification performed by the certificate authority issuing the certificate. Identity verification can assure the visitors of a site that it can be trusted to do business at, so understanding the various levels of verification is critical in selecting the most appropriate certificate to secure the site.

There are three main types of certificate validation: Domain Validated (DV), Organization Validated (OV) and Extended Validation (EV). A certificate that is created without validation is called “Self Signed” because the certificate signature field is populated by the same organization requesting the certificate, not a 3rd party certificate authority (CA).

Self Signed SSL Certificates

You can create your own “self-signed” SSL Certificate for free, but there is no identity verification. Browsers will display ominous security warnings that a site is untrustworthy before allowing users to access a web site using a self signed certificate. This makes them impractical for a public facing web site. Because they are free they are frequently used in intranet labs to save money during web and systems development.

Domain Validated (DV)

These certificates are the lowest cost means of website security  but do not provide authentication or validation of the business behind the website. Unlike EV and OV certificates, DV certs provide are validated and provisioned automatically via an online interface using a system of ‘challenge-response’ emails. If the site you are on is using a DV certificate then Dragon will change HTTPS to yellow and place a yellow alert symbol over the padlock. This is to inform you that the organization behind the website has not been authenticated so you may want to proceed with caution:

SSL Validation

Organization Validation (OV)

These certificates include full business and company validation from a certificate authority using currently established and accepted manual vetting processes. Because of this requirement, these certificates provide significantly higher levels of trust and security than DV SSL certificates but are not validated to the stringent standards set by the CA/B forum and do not possess the ability to turn the address bar green in the latest browsers. If the site you on is using an OV certificate then Dragon will display the padlock and HTTPS in a green color. This is to inform you that the business behind the website has been validated and it is safe to proceed with any transaction:

EV SSL Validaion

Extended Validation (EV)

EV certificates are validated to the rigorous guidelines set by the CA/B Forum – an independent standards body that requires in-depth verification of the legality and probity of a company before it is issued with a certificate. Because of this, EV certificates provide the highest levels of security and trust to end-users. To indicate this higher level of trust, Comodo Dragon turns the entire address bar green if you are on a site which is using an Extended Validation certificate:

SSL

Users can enable or disable this feature in the HTTPS/SSL section of ‘Settings’ > ‘Show advanced settings’ link. Click here for information.

Background Information

An SSL Certificate can only signify that it is safe to trade with a company when two vital steps are completed prior to its issuance:

1. Verification that the certificate applicant is in control of the domain name.

2. Verification that the certificate applicant is a legitimate and legally accountable business.

DV certs only establish 1) whereas OV and EV certs establish both 1) and 2)

Trust between the person using the browser the website they are connected to is only possible when BOTH these stages of validation are completed. Step 2) is carried out by a Certificate Authority (CA) such as Comodo or Verisign. A CA employs human operatives to carry out strict vetting of the applicant’s business and legal standing. Only once this layer of company validation has been completed can a website be truly ‘trusted’.

High Assurance certificates show the full company name and address – indicating that background checks were run prior to the certificate being issued to the organization.

Be Sociable, Share!

    Add new comment

    Your name
    Comment

    You may use these HTML tags and attributes: <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>