Are Extended Validation SSL certificates effective

phishingssl-certificate

Every time an SSL cert comes up for renewal, my provider tries to sell me an Extended Validation certificate. The big difference is the green address bar in FireFox and Safari for quadruple or quintuple the cost.

Supposedly, the benefit (and reason for the green bar not shown in IE8 or Chrome) is deeper authentication of the requesting party. But I can detect little actual difference between Verisign's own minimum requirements (from their CPS) for all SSL certs (section 3.2.2):

At a minimum VeriSign shall:
•
Determine that the organization exists
by using at least one third party
identity proofing service or
database, or alternatively,
organizational documentation issued by
or filed with the applicable
government agency or competent
authority that confirms the existence
of the organization,

• Confirm by
telephone, confirmatory postal mail,
or comparable procedure to the
Certificate Applicant certain
information about the organization,
that the organization has authorized
the Certificate Application, and that
the person submitting the Certificate
Application on behalf of the
Certificate Applicant is authorized to
do so. When a certificate includes
the name of an individual as an
authorized representative of the
Organization, the employment of that
individual and his/her authority to
act on behalf of the Organization
shall also be confirmed.

Where a
domain name or e-mail address is
included in the certificate VeriSign
authenticates the Organization’s right
to use that domain name either as a
fully qualified Domain name or an
e-mail domain.

and EV requirements (Appendix F14C):

(C) Business Entities
To verify a Business Entity’s legal existence and identity VeriSign verifies that the Entity is engaged in business under the name submitted by Applicant in the Application. VeriSign verifies that the Applicant’s formal legal name as recognized by the Registration Authority in Applicant’s Jurisdiction of Registration matches Applicant’s name in the EV Certificate Request. VeriSign records the specific unique Registration Number assigned to Applicant by the Registration Agency in Applicant’s Jurisdiction of Registration. Where the Registration Agency does not assign a Registration Number, the Applicant’s date of Registration will be recorded. In addition, the identity of a Principal Individual associated with the Business Entity is verified in accordance with Section 14(b)(4) of the EV Guidelines.

So:

1) Do EV certificates actually inspire more trust among users?

2) Do EV certificates actually help fight phshing/fraud/any of the things vendors list?

3) If they actually performed the minimum requirement, doesn't that include all the EV stuff? What am I missing?

Best Answer

Six years on, and it's time to rewrite this sucker from the perspective of 2015 (and a lot more personal experience in the world of commercial CAs).

First off, as far as EV certificates inspiring trust, the answer is (still) "no, not really". Independent studies of EV certificates just don't show a meaningful impact amongst typical consumers. Peter Gutmann's book, Engineering Security, is largely an 800 page rant against CAs in general, and it has a lot of references to the (in)effectiveness of EV certificates in influencing safe user behaviour throughout the text, with the highest density in the section entitled "EV Certificates: PKI-me-harder" starting on page 72.

On the other side of the argument, the parties who have the most to gain from proving EV certificate efficacy (the CAs who sell them) can't come up with any compelling evidence, either. The "best" collection of EV case studies I could dig up is amusingly long on unfounded assertion and woefully short on any sort of useful data.

As for whether EV certificates actually do anything useful to fight fraud, I'll go back to Peter Gutmann again:

The introduction [...] of so-called high-assurance or extended validation (EV) certificates [...] is simply a case of rounding up twice the usual number of suspects — presumably somebody’s going to be impressed by it, but the effect on phishing is minimal since it’s not fixing any problem that the phishers are exploiting.

To put it another way, that you know, for sure and certain, that the site you're communicating with is "Honest Achmed's Drug Bazaar and Fishmarket, Inc", of Tashkent, Uzbekistan, doesn't say anything about whether Achmed is going to do the bunk with your credit card details and private information. An EV certificate also doesn't say anything useful about the security practices of the organisation: while ashleymadison.com uses a wildcard DV cert, it is (and was) entirely capable of getting an EV certificate, and everyone's private peccadillos would still be downloadable if they'd been running an EV cert all along.

Finally, for what it's worth, EV certificates are issued after (some) more validation beyond what is done for domain validated (DV) or organisation validated (OV) certs. What is being validated isn't actually all that important, but you can be reasonably sure that someone has gone to some reasonable amount of trouble to make the organisation named in the green bar appear to exist.

Related Solutions

Ssl – godaddy SSL certificate shows domain name instead of full company name

The contents of that green bar come from the certificate itself, which you will have to get reissued to change it. The certificate's O attribute in the subject (organization), along with the C attribute (country) determine what is displayed. If they are absent, it will simply display the primary subject domain name from the certificate.

Also, the name (and usually the green bar) is only displayed for EV (extended validation) certificates. If you don't have one, you would normally have just the domain name, or no information bar at all. How this is displayed is of course dependent on the browser; recent versions of firefox display your domain name on a teal background in the address bar for non-EV certificates, whereas chrome just displays a lock icon and formats "https://" in green type.

You can't get a wildcard EV certificate, so to get this functionality in most browsers you would have to see if they would issue you an EV certificate with each of your subdomains as alternate names (the one that signs verisign.com is like this).

Verifying your company name and number, and usually inspecting your personal ID, incorporation, and a document giving you authority to act on behalf of the corporation are all expected parts of getting an SSL certificate issued in your company name at all.

Tomcat – Installing SSL Thawte Certificates for tomcat from pre-generated Private Key

Some applications (I can't remember if Tomcat is one of them) like to have the certificate chain as part of the same keystore entry as your server certificate, rather than as seperate items.

To do this, first remove the two CA certs from the keystore:

keytool -delete -alias Primary -keystore keystore.key
keytool -delete -alias Secondary -keystore keystore.key

Next, create a PKCS#7 file containing your cert with its CA chain:

openssl crl2pkcs7 -nocrl -certfile domain.crt -certfile Secondary.crt \
  -certfile Primary.crt -out domain.p7b

Then import this into your existing keystore (this will overwrite the certificate, but keep the existing private key):

keytool -importcert -alias domain -file domain.p7b -keystore keystore.key

Make sure the alias you specify matches the alias of the cert/key already in the keystore.

Now, a keystore listing (keytool -list -keystore keystore.key) should show the certificate, with its CA chain, as a single keystore entry.

Best Answer

Related Solutions

Ssl – godaddy SSL certificate shows domain name instead of full company name

Tomcat – Installing SSL Thawte Certificates for tomcat from pre-generated Private Key

Related Topic