Extended Validation (EV) SSL certificates are one of three standard SSL certificate types issued by Certificate Authorities: DV, OV, and EV. What makes EV certificates different from the others is that they provide the highest assurance that the domain is NOT associated with a bad actor. When users see a company-branded address bar next to the URL, they can know that they are on a trusted domain.
So is an EV SSL certificate right for you? In order to determine this, it’s important to understand why the cost is higher than other certificate options, the unique value it provides, and how the issuance process works.
Is an EV SSL Certificate Worth It?
One objection that is raised against Extended Validation Extended Validation (EV) SSL is that, for any given Certificate Authority, it tends to cost more than an Organization Validation or Domain Validation certificate.
Let’s dive into why these certificates cost more than others as well as the value they provide.
Why They Cost More
Often, the additional cost of an EV certificate can seem confusing – all SSL certificates are just bits, after all, and both OV and EV options require authentication. However, there’s much more to it than that.
For example, if it were a lock on your door, that would be a different matter. The superior lock might require more metal to manufacture, or more expensive metal or other such components. The presence of these components would help buyers viscerally to understand the additional value – along with the additional expense required to manufacture this high-end lock.
In the case of EV SSL, these additional expenses are invisible to the buyer. Because all SSL certificates occupy the same spot in your infrastructure and entail no physical component, it’s very difficult for a consumer to see that these expenses exist. That’s because these expenses occur behind the scenes.
- CAs need to employ different information sources, undergo additional CA/Browser Forum procedural steps, and pay for additional third-party audits in order to issue EV certificates.
- Companies require additional employee training, internal audit, systems, and the like.
These expenses translate to Cost of Goods Sold (COGS). These costs are specific to the set of EV certificates a company sells, so they must be defrayed across the set sold. Otherwise CAs can’t take them on. And because it is a lower-volume product than other authentication levels, that means the costs are concentrated in a smaller number of individual purchases than they would be for OV or DV certificates.
The Value and Benefits
The good news is that even with the higher pricing, the cost difference between EV and OV certificates remains low, so that EV is still within reach for any company seeking its benefits. And should the volume of EV certificates increase over time, CAs may be able to decrease this cost difference even further.
The value of this certificate is higher for sites compared to other types because it leads popular browsers, like Google Chrome, to display the company name in the address bar in addition to the HTTPs padlock. This is necessary for compliance with some industry guidelines and provides additional benefits, including:
- Increased website security – Provides protection from phishing attacks and other cyber threats that could threaten company or customer data
- Improved brand perception – Shows users that your site is secure and the brand name is verified
- Increased conversions – Signals a higher level of trust to potential customers. This is especially important for eCommerce sites that request a customer’s financial information
- Boost to traffic – A secure site is good for SEO (search engine optimization), which can lead to higher rankings in the search results and thus, an increase in online traffic
The Issuance Process
The process for a Certificate Authority to issue an Extended Validation SSL certificate is more stringent than other SSL/TLS certificates. The CA follows a validation process based on CA/Browser Forum guidelines.
The CA checks that the requesting business is a legal entity, and the validation requires sufficient disclosure of business information to perform this verification. There is an additional human intervention where the entity is contacted via phone to verify its identity. The processing could be several days, depending on the requestor’s availability during the telephone verification phase.
Before issuing an EV SSL certificate, the Certificate Authority contacts the organization via phone to verify its identity.
EV shows users that the website employs best-of-breed security measures to protect transactions and ensure compliance with standards and regulations.
Before issuing an Extended Validation certificate, the Certificate Authority follows a seven-stage process based on guidelines determined by the CA/Browser Forum.
- EV Enrollment: Verifies that the applying person is indeed an employee of the company or organization, and he/she is authorized to proceed with this certificate purchase.
- Organization Authentication: Verifies, via government registration information, that the applying organization is a legally registered entity and that it is active in the registered location.
- Operational Existence: Verifies that the organization has been in existence for 3+ years. If not, then additional documents must be required (intended to complicate the process for cybercriminals attempting to create shell companies to obtain EV certificates).
- Physical Address: Verifies that the organization has a real physical address in its country of registration.
- Telephone Verification: Verifies that the organization’s telephone is a working phone number.
- Domain Name Authentication: Verifies that the organization is the rightful owner of the registering domain and subdomains.
- Final Verification Call: CA calls the applying organization contact to verify the EV application.
Given the rigor and information disclosure involved, cybercriminals are statistically far more likely to apply for DV or OV certificates than undergo the vetting process to acquire an EV certificate.
While no CA can know the “intent” of an organization seeking an SSL certificate, the verification process noted above strives to vet the legitimacy and authenticity of the domain at the time of issuance. EV is one of the best (visible) trust indicators in place today.