
Are EV certificates worth it? A technical guide to SSL validation - nailer
https://certsimple.com/blog/are-ev-ssl-certificates-worth-it
======
jon-wood
I'd be really curious to see some numbers on not the technical side, but the
human side.

In the past I've chosen not to buy EV certs not because the process is more
involved, but because it just doesn't seem worth the extra cost - I've never
heard of someone choosing not to do business because a site had the wrong kind
of SSL certificate. Most people would probably put their credit card details
into a completely unencrypted website given half a chance.

~~~
nailer
_nod_ what you really want is someone like usertesting.com to do this, ie,
interested in conversion rates, not selling certificates.

This hasn't happened with EV yet, but it did happen with 'site seals' \- those
images (or in Symantec's case Flash objects) that promote a particular
certificate brand in a web page.

CertSimple sells certs that come with a DigiCert 'site seals' but I'll happily
tell you that usertesting tested CRO with site seals a little while ago and
found out that, in one case, removing 'site seals' completely was better for
conversion - apparently reminding people they're not being hacked doesn't
inspire confidence. Let me know and I'll dig up the event recording.

I _feel_ EV is a different situation - it's the only chrome displayed by the
actual browser concerning identity of a website (which as we know is not the
same ting as the origin). But I don't have numbers to say and I shouldn't be
the one to conduct the research since I'm clearly biased.

~~~
UnoriginalGuy
This might be an unfair question: Do you see the cost of EV certificates
coming down in the future, or is that level of cost actually required due to
how involved validation is?

For a lot of SMBs and individuals it is hard to justify additional $150 a EV
certificate costs. Plus the loss of convenience that wildcard DV certificates
provide (and EV certificates cannot).

I like the concept of EV, but unless I was running a large company with deep
pockets or was in a sector where EV is helping (e.g. finance/payments/etc)
then I'd just skip it. I'm not even sure it helps mitigate phishing.

~~~
nailer
Essentially the cost of EV is the cost of validation. As time goes on, and as
there are more CAs, I suspect the competition will increase and the price of
EV will go down.

However, the current per-year price of EV is less than a half day's work by an
average programmer. I'm not necessary sure that's out of the question for most
businesses.

------
zokier
That sounds all great and fancy, but one quite critical piece is missing: the
ability to trust CA's. I'm frankly somewhat impressed at the level of
diligence described in the article, if it is really what happens for each and
every EV cert from every CA. But the cynic in me finds it it difficult to
trust that that would be the case. Does the EV certification process put any
requirements on the CA, such as mandatory independent audits or some other
overwatch mechanism?

~~~
jamiesonbecker
EV is simply a signal that the website is backed by a real company. Even if
you can't trust the CA's to always do a good job (there are too many instances
of CA's _really_ doing the opposite), they still don't give them away for
free. To get one, you have to be prepared to spend hundreds of dollars on top
of the typical incorporation and startup costs, so at least you can trust that
someone actually ponied up for the certificate cost itself, incorporated, and
maintains that incorporation in good standing.

We bought EV for [https://Userify.com](https://Userify.com) even though we're
a startup, because it demonstrates our level of commitment to security and
that we're serious in the marketplace. We also use a wildcard TLS certificate
for customer-specific logins. EV-TLS also fights phishing attacks.

It's somewhat shocking that AWS doesn't use EV-TLS for the console login,
especially when they're so good about other things (like searching for
customer keys on Github, watching for phishing exploits, etc.)

~~~
noinsight
> AWS doesn't use EV-TLS for the console login, especially when they're so
> good about other things

You mean _this_ AMZN?:

[http://imgur.com/S1Pz155,TdRDjIq#0](http://imgur.com/S1Pz155,TdRDjIq#0)

It's shocking to me that they aren't even using proper TLS settings even
though I'm sure they're perfectly capable and aware. Doesn't inspire
confidence in their security.

~~~
jamiesonbecker
Agreed! (but, in fairness, portal.aws.amazon.com might be an obsolete domain,
since it just redirects to the correct aws.amazon.com... the actual console
login does use TLS 1.2 etc.)

Even so, it still blows my mind that even the main Amazon.com main page uses
no SSL at all by default, and they're an e-commerce site, unlike Google and
FB. Seems to show a lack of respect for customer privacy.

------
nailer
EDIT: here's an answer for Zokier's excellent question (I'm rate limited right
now):

> Does the EV certification process put any requirements on the CA, such as
> mandatory independent audits or some other overwatch mechanism?

The EV Requirements themselves do not.

However Google required since Jan 1 2015 that ALL EV certificates have
certificate transparency enabled. See the links in the article - I've tweaked
it a little to directly address your point too.

Certificate Transparency makes it much harder for a CA to issue a certificate
for someone else's keypair in your name.

\------------

Original response below:

Hi there, author here. I hope you don't mind the foul language but I couldn't
convey the general feeling towards CAs at EdgeConf much better.

This is by no means a replacement for reading the EV requirements (and
baseline requirements) but does capture the typical validation process for all
the (around 30) EV certificates we've been involved in so far.

------
nadams
From the average user's POV: no

They won't know the difference between a lock and a green bar. I would bet a
percentage of users don't even notice if they are browsing an site using SSL
or even understand why HTTP without SSL is bad. This was proven with tools
like Firesheep where people are more than happy to browse facebook on an open
wifi connection without using SSL.

I know I saw a discussion with the Chrome team talking about showing an error-
like page for all non HTTPS traffic. This is not the solution - the solution
is to show some sort of message to the user that is non-blocking that says
"hey your information is sent in the clear". Also - change the self-signed SSL
to not look like an error page. Using self-signed SSL is more secure than not
using SSL at all - even if the certificate isn't verified your data over the
wire is encrypted.

~~~
hackuser
> They won't know the difference between a lock and a green bar. I would bet a
> percentage of users don't even notice if they are browsing an site using SSL
> or even understand why HTTP without SSL is bad.

I would bet this percentage is much higher than many people here think. Most
people have no idea what "http" means, or even what a protocol is or why they
would need one, much less URLs, HTTPS, SSL certs, encryption, identity,
validation, etc. Many users whom I observe don't understand the URL field. If
they want to load [http://cnn.com](http://cnn.com), they type "cnn" into the
Google search field and click the first link -- for sites they regularly
visit, every time, multiple times per day! Many don't know what a web browser
is. [1]

The idea that they will grasp EV certs, and all knowledge required for that it
(certs, issuers, identity, encryption, what does encryption have to do with
identity, etc etc etc) seems very unlikely.

[1]
[https://www.youtube.com/watch?v=o4MwTvtyrUQ](https://www.youtube.com/watch?v=o4MwTvtyrUQ)

~~~
noinsight
> they type "cnn" into the Google search field and click the first link

Yeah, they even click the ad links, which makes me cringe every time.

------
itengelhardt
Suggestion to the author: I could really benefit from a short sentence that
explains to me what DV means. I get from the context that EV likely means
"Extended Validation". Then again, all I ever did was set up SSL on Heroku and
a bit of openssl magic to get Github running - so maybe not the target for the
article?

Edit for clarification: There is a short description of DV & EV, but it
doesn't mention what DV/EV stands for. I'd love to know that (without
Googling, because lazy).

~~~
jlgaddis
As perfTerm noted, DV stands for Domain Validation. DV is where, basically,
you prove ("validate") that you own the domain you're requesting a certificate
for, typically by being able to receive an e-mail sent to one of the contacts
listed in WHOIS for the domain.

This is similar to Google requiring you to create a file in the root directory
of a web site or creating a TXT RR (with a specific value) in the DNS zone for
a domain for Google Analytics (if you've ever done that).

------
raesene9
Here's the thing, the reason EV SSL certificates aren't a good purchase is
nothing to do with the technicalities of the matter.

It has to do with "will users trust my site more if they see an EV cert"

And the answer to that (IMHO) is, no, definitely not.

Most users don't even notice when a site goes from HTTPS to HTTP, the chances
that they will notice the difference between the display of an EV cert. and a
DV cert. is negligable.

Ask yourself this, can you list the sites that you visit that use EV certs? If
you can't, what's the chances your users will....

~~~
marcosdumay
Well, my bank uses an EV cert. That's one of the few that matter.

Of the last few sites where I brought something, most use a DV cert. I always
check that, but I don't mind them not having an EV (I only mind plain text and
bad crypto).

Of course, I don't want to imply that my behavior is typical, because it's
not. I'm just answering your question...

------
jamiesonbecker
EV-SSL is a browser signal and is not usually visible on mobile, so it will
probably have decreasing importance over time.

~~~
iLoch
When EV is used, iOS ONLY shows the EV information - not the URL - in the
address bar.

~~~
hackuser
> When EV is used, iOS ONLY shows the EV information - not the URL - in the
> address bar.

I expect only a tiny portion of users understands this.

------
finnn
Any info on how the /companies API collects data? eg
[https://certsimple.com/companies?legal-
name=testing&country-...](https://certsimple.com/companies?legal-
name=testing&country-code=US)

------
samgranieri
Technically I'd say no. I had to apply for one when I was the lead software
developer at a healthcare startup two years ago, and it was more involved. My
boss had to submit a bunch of paperwork.

------
blibble
summary of article: no... assuming you've got £15 to set up a company (such as
the pirate one in the article), and £149 for a cert, anyone can have one

~~~
nailer
That's not an accurate summary. The certificate is that you're at that
company: only someone with sufficient authority in that specific company can
acquire a certificate saying you're that company.

As the article mentions, that not to say there isn't flaws in the process. But
most attacks against EV have come in the form of DV downgrades rather than
falsely issued EV certificates.

Actually, if you have info on _any_ falsely issued EV certificates I'd be
really interested.

~~~
blibble
right, so if I have £15, I can pay £15 to Companies House to start a company,
and then I can authorise anything.

EV offers nothing over normal certs, other than the company name and the green
bar, and I can control the company name if I have another £15...

~~~
nailer
You can authorise a certificate only for the company you just created, which
is most definitely not 'anything'

~~~
sbierwagen
What stops a Russian EV cert vendor for authorizing a EV cert for impostor
company Example LLC, when the real corp is Example Inc?

~~~
nailer
> What stops a Russian EV cert vendor for authorizing a EV cert for impostor
> company Example LLC, when the real corp is Example Inc?

\- The Registry of Companies & Intellectual Property in Russia must accept
Example LLC as a valid business name which may be difficult if Example Inc was
well known.

\- The issuing CA must manually inspect all requested domain names in the EV
cert and ensure there is no phishing attempt. A certificate request for the
hostname 'example.com.example.ru' would be rejected. Depending on how well
known Example Inc is - eg, say they were Bank of America - even 'example.ru'
may be rejected.

\- If for some reason this failed and a certificate for the identically named
Russian company was issued, it would read 'Example LLC [RU]' in the address
bar rather than 'Example Inc [US]'

------
finnn
Obligatory comment pointing out that SSL certificates are a racket and it's
appalling that we have to pay for an SSL certificate.

~~~
brobinson
If you're okay with not having "authenticated pulls" (i.e., the request from
the CF edge to your server being unencrypted), Cloudflare gives you SSL for
free. Their SSL config gets an A+ on SSLLabs tester, too.

Far from a solution to the SSL problem, but an interesting and free option for
a lot of sites that otherwise would not bother with SSL.

~~~
MichaelGG
I wonder why Cloudflare doesn't sign certs for their users to be used just for
CF connecting to them. Seems like an obvious step to take.

~~~
jlgaddis
They do. It's a part of their "Universal SSL" [0] called "Strict Mode".

[0]: [https://blog.cloudflare.com/universal-ssl-encryption-all-
the...](https://blog.cloudflare.com/universal-ssl-encryption-all-the-way-to-
the-origin-for-free/)

~~~
MichaelGG
Well I feel silly. I looked in the dashboard several times, but the "valid
cert required" was a CA-issued one, I thought. Cool!

