Monday, March 21, 2016

What is EV Certificate or Extended Validation Certificate ?

We need to use encrypted communication protocols like SSL/TLS and SSH to transfer sensitive data between two hosts. And, public key cryptography is normally used to initiate the communication in those protocols.


In a secured protocol like SSL/TLS or SSH, typically the client initiates the connection and the server starts the communication by sending its digital certificates. A digital certificate is basically an electronic document which is issued by an authority called Certificate Authority or CA and vouches for the authenticity of the public key.


And, Extended Validation Certificate or EV Certificate is a digital certificate issued by an Certificate Authority or CA and can safeguard the users from attacks like Phishing in a better way than commercially available Domain Validated Certificate or DV certificate.




What is Domain Validated Certificate ?


Because of commercial pressures Certificate Authorities or CA started issuing Domain Validated Certificates or DV Certificates. These certificates are commercially cheaper and involves relatively less verification of the identity of the applicants.

In Domain Validated Certificates, most of the time the identity verification of the applicant is done in an automated fashion and it verifies only the registration of the website's domain.


Security concerns of Domain Validated Certificates


As it was much easier to get a Domain Validated Certificates, attackers started taking advantage of that and perpetrate Phishing attacks.

For example, an attacker can easily register a domain named facbook.com (please note the difference in spelling) and create a malicious webpage which looks much similar to the authentic website. And then, they can send the link of their website to victims using social engineering and trick the victims to provide login credentials in their website, following which they can easily steal the sensitive data.

As the previous versions of web browsers could not differentiate between fully validated SSL certificates and the Domain Validated SSL certificates, it would become much difficult for the users to identify these type of Phishing attacks.


Difference between Extended Validation Certificates and Domain Validated Certificates


If we think from encryption perspective, there is no difference between Extended Validation Certificates and Domain Validated Certificates. Both of them use the same data encryption while transferring sensitive data between two hosts.

But, the difference is in identity verification. In an Extended Validation Certificate, the Certificate Authority typically verifies the domain ownership, business registration and address, phone number, and other pertinent information manually.

But, Domain Validated Certificates verify only the registration of the website's domain.

So, if we think about the security perspective, an Extended Validation Certificate is much more secure than a Domain Validated Certificate, as it vouches for the authenticity of the website in a better way.


How to identify an Extended Validation Certificate


Most of the recent browsers has an enhanced display for Extended Validation Certificates. It typically includes :

  • The name of the company or entity that owns the certificate.
  • The name of the Certificate Authority or CA that issued the Extended Validation Certificate.
  • A different color, usually green, in the address bar that indicates that a valid Extended Validation Certificate was received.


Compatibility


Most of the Extended Validation Certificates are compatible with the following browsers :

  • Microsoft Edge 12+
  • Google Chrome 1.0+
  • Internet Explorer 7.0+
  • Firefox 3+
  • Safari 3.2+
  • Opera 9.5+


This was just an informative article on Extended Validation Certificates. Hope you enjoyed this.







1 comment: