SSL secures the transmission of data passed between your web browser and the web server. When you enter data into a comment, or pay for something online, the information flows over the internet securely if and only if, the connection is secured by SSL. It turns out that there are 3 different types of certificates and they are indicated very differently by web browsers.
Insecure transactions will soon show “not secure” by Google Chrome as displayed below. Currently they show an i with a circle around it, but that will change this summer with the release of Chrome 68. Here is how all websites without SSL will display:
Below is a comparison of the 3 different security states a website can appear currently:
There are 3 different types of security certificates available for websites, Domain Validated (DV), Organization Validated (OV) and Extended Validated (EV). Domain Validated certificates can be obtain by anyone, and even for free using Let’s Encrypt. These are the simplest to obtain because they do not need any validation other than some sort of control over the website you are securing. This means just about anyone can obtain and secure a website, even for $0. Even though these websites are secure, you have no idea exactly who owns or runs them so the trust level for DV secured sites should be quite low. Situations where trust and credibility are less important such as personal websites and small forums that need basic encryption for things like logins, forms or other non-transactional data.
An Organization Validated certificate has different procurement requirements. To obtain an OV certificate the issuing certificate authority (CA) has to confirm the organizational existence using a non-automated method. As well as checking up on ownership of the domain name, the Certificate Authority will also carry out additional vetting of the organization and individual applying for the certificate. This might include checking the address where the company is registered and the name of a specific contact. OV certificates should be used for public-facing websites dealing with less sensitive transactional data. OV Certificates do not offer the highest visible display of trust like EV certificates which show a green browser bar organization identification.
The Extended Validated certificate is the current gold standard in SSL certificates. Any business that sells products or accepts payment information online should use an Extended Validation (EV) SSL Certificate. An EV certificate uses the same powerful encryption as other SSLs, but getting one requires a thorough vetting of the applicant’s business. Only those businesses that pass this process will receive an EV SSL Certificate. Typically the use of an EV certificate is indicated by a green color – but this varies by browser. Anyone who sees the green address bar while on your site knows instantly they’re on a legitimate website.
EV verification guidelines, drawn up by the Certificate Authority/Browser Forum, require the Certificate Authority to run a much more rigorous identity check on the organization or individual applying for the certificate. Sites with an EV SSL certificate have a green browser address bar and a field appears with the name of the legitimate website owner and the name of the Certificate Authority that issued the certificate. From the CA/Browser Forum:
Having an EV certificate for your website is an indication to your customers (or users) that you are very interested in ensuring their safety and privacy by taking the most care that you possibly can in authenticating yourself (through your web site) to them. Even though it might take more time and money to apply for an EV Certificate, after following the application procedures through to successful completion of the vetting process, the CA will issue an EV Certificate to you.
Before an EV Certificate is granted, a certificate vendor verifies that the business listed on the application is:
- Legally registered
- Currently in operation
- At the address listed (PO Boxes are not allowed!)
- At the telephone number listed (Voice mail systems will not be allowed for validation, there must be someone answering the phone!)
- Owns the website domain name (usually done thr0ugh a CNAME record, a file placed on your server or by email.
You will need to pass this vetting process every two years to keep your Extended Validation (EV) SSL.
Most types of organizations can get an EV certificate relatively easily if they have an established business background and are located in a jurisdiction that provides good online access to records of incorporation or registration. But regrettably, there are a few types of organizations and a few jurisdictions for which there just isn’t good enough external registration information available in order for the CA to be sure enough of the details supplied by the person applying for the certificate for the CA to be able to easily issue an EV certificate. For example some CAs do not accept PO Boxes as the organizational mailing address (even though the IRS or a local tax jurisdiction does!). Generally, if your organization is incorporated or fits into one of the more common business types such as an LLC or 501(c) not for profit, then you should be able to obtain an EV certificate. Here’s an example EV Certification Checklist from Comodo should you decide to go this route. It takes time and you should confirm your registration information is up to date and the phone number on file is answered by a person (not a voice mail service).