Can HTTPS Certificates Provide Identity Assurance and is it Worth it?

Can HTTPS Certificates Provide Identity Assurance and is it Worth it?

There's an interesting situation involving Certificate Authorities going on right now. Ever since Let's Encrypt popped up, all the other CA's are basically fighting for customers. It's interesting watching them come up with ever more amusing justifications for paying for certificates when you can get them for free from Let's Encrypt.

Categories of HTTPS Certificate

When you go to get an HTTPS certificate you'll find there are three types of validation. These three types get the rather uninteresting initialisms of DV, OV and EV. Although they're rather uninteresting this article will make a lot more sense if I tell you what these stand for so here goes:

  • DV - Domain Validation
  • OV - Organization Validation
  • EV - Extended Validation

Now, the keen eyed among you may have noticed that they all contain "Validation" - well, okay, it's pretty obvious. Anyway, these levels of validation are rather hot topics at the moment. The intention is that these levels of validation result in varying levels of trust from the end user. Here's a quick run through what the differences are:

DV - Domain Validation

These are the most common type of HTTPS certificate and are the only type I use for the approximately 20 certificates I have currently. When I want a DV certificate all I have to do is verify I have control of the domain. This is usually checked via a HTTP request to a file on my web server but can also be checked via Email or DNS record. Once I've completed this the CA will issue the certificate that I requested. As the process is nice and simple but more importantly it's automated on the CA's part which means DV validation can be completed in seconds or minutes (depending on validation type - email, DNS etc).

OV - Organization Validation

These certificates require the same validation as DV cert issuance as well as checking that the organization requesting it actually exists and has requested the certificate.

There's only one minor difference in the actual certificate and this isn't easy to see. If you inspect the certificate (F12 then the "Security" tab then "View Certificate" in Chrome) and look under the "Subject" entry you'll see the company's name and partial address.

Here's my DV certificate for this site:

dvexamplessl

...and here's an example OV certificate:

ovexamplessl

Now, I understand that if like me, you think it's a bit odd that people would pay at least £30/yr (cheapest OV from the suppliers I use) for an OV certificate when they could have a DV cert for £6.87/yr or for FREE using Let's Encrypt. It's also worth pointing out that certificate prices vary greatly depending on the Certificate Authority (These prices are from Comodo's certificates). Finally, the validation process for OV certs usually takes a couple of business days.

EV - Extended Validation

The last and hardest to get of the three validation types. Extended validation is quite a long-winded process. It involves identifying and validating both the organization and an individual from the organization and making sure they meet certain requirements - in other words, it's complicated and consequently takes longer (several days) and also costs a lot more. EV certs usually cost £100+ a year. Now, I'm going to pretend I hear you ask "So why would I want one?". Ah! What a suitable question, I'm glad I pretended to hear you ask it. The main advantage to EV certs is the "green bar" browsers display. Here's an example:

twitterevgreenbartab

The Value of EV

I think it's fair to say there isn't a whole lot of value in getting an OV certificate. It could be argued that as an EV cert's "green bar" is rather visible they are worth the cost and effort to get one. Well, this is what people are debating. Yes, people may notice the green bar and it will usually show a business name that the user will recognise. The question is, how many people know what this means? Before reading this article, did you know the difference? Not many people are going to and even less are going to look for a green bar.

My favourite argument is the question "Will people notice when it's not there?" I mean, there's no "requirement" for organizations to use EV certs so it's by no means a norm therefore you can't simply go "it's not EV so I know something's amiss". Yes, I'd use one if money weren't a problem purely because I could and lets be honest, they look cool. I also appreciate it when people use them but a green bar doesn't really have any effect on how I use a site.

I suppose the only situation I'd be effected by a green bar is if I were using the website of a company I've never heard of as in a way I would feel like they're more trustworthy. I mean, they've gone through the trouble and cost of doing something very, very few companies do. In theory all the large brands like Google, Twitter etc are very well known so don't need this extra assurance (and don't all use EV). However, what about a small reseller of roofing I've never heard of that seem to have almost too good to be true prices? Well in this case an EV cert might just make the difference between me using them and moving on swiftly. Even with this, I'm an IT guy, it's quite literally my job to know about this stuff - I don't think an EV cert would effect many people in this way.

At the end of the day I don't think HTTPS certificates are a very good way to provide identity assurance as the differences are not commonly understood. They are designed to protect traffic in transit and that job they do very well. I think all sites should use HTTPS but I don't see EV as a "must" but rather a "nice to have" but even then, there's no statistic that I can find showing the effectiveness of EV. Ultimately, all the people that I see who are pro-EV just happen to be the very same people who stand to make money from people using it - CA's for instance.

I'll end on this, it's a Tweet from the "CA Security Council" - a group comprising of the top Certificate Authorities in the world...

It's rather ironic how they aren't using EV on their own site! Though, I'm betting that you didn't notice that.

Sidenote: I thought I'd mention that you can't get wildcard EV certificates. (Certificates that cover all subdomains for a domain and is displayed as *.owennelson.co.uk for instance). This means that it's much more difficult and expensive for organizations with multiple subdomains to get EV certificates and may well contribute to why very few companies use EV certs.

Short link: on-te.ch/cia

Owen Nelson

Owen Nelson

https://owennelson.co.uk

IT Systems Administrator from Northamptonshire, UK. Always on the lookout for ways to make things faster and more secure - and I enjoy getting through a fair bit of Tea along the way.

View Comments