What is Extended Validation (EV) and how important is it?

Cybersecurity - SSL 2020 - Nameshield Blog
Cybersecurity - SSL certificate - EV

SSL certificates ensure the encryption and integrity of data exchanged between a browser and a web server. There are different levels of certificates, Extended Validation (EV), Organizational Validation (OV) and Domain Validation (DV), which vary depending on the degree of authentication. The Extended Validation type SSL certificate provides the highest level of SSL authentication. It is obtained through a comprehensive and globally standardized identity verification process established by the CA / Browser Forum.

Regardless of the selected SSL level, encryption and data integrity can be guaranteed by Extended Validation (EV), Organizational Validation (OV) and Domain Validation (DV), but they do vary depending on the degree of authentication. The Extended Validation type SSL certificate provides the highest level of SSL security. It is obtained through a comprehensive, globally standardized identity verification process ratified by the CA / Browser Forum.

The EV SSL certificate enables HTTPS security and the now gray padlock in the browser’s address bar, just like DV and OV certificates. The additional cost and time spent on verification makes it more difficult to obtain EV level certificates for phishing sites. Therefore internet users can use this certificate as a mark of trust and feel more secure when communicating and making purchases.

On June 12, 2007, the CA/Browser Forum officially ratified the first version of the Extended Validation SSL Guidelines, which took effect immediately. The formal approval successfully brought to a close more than two years of effort and provided the infrastructure for trusted website identity on the Internet.

Most major browsers created visual indicators for pages loaded over HTTPS and secured by an EV certificate soon after the standard was created: they displayed the validated identity, which is a combination of organization name and legal status, in the URL bar. Safari for iOS, Windows Phone, Firefox for Android, Chrome for Android and iOS, also added these indicators.

In May 2018, Google announced plans to redesign Google Chrome user interfaces and remove emphasis on EV certificates. Chrome 77, released in 2019, removed the EV certificate indication from omnibox. Firefox 70 followed and removed the distinction in the omnibox or URL bar : EV and DV certificates are displayed similarly with just a padlock icon, but the information on the EV certificate status is still accessible in the more detailed view that opens after clicking on the padlock icon.

SSL EV certificate - Nameshield

An EV certificate displayed in Firefox

The increasing use of mobile devices and the removal of the visual indicator EV by browsers has significantly reduced the interest of some entities in using this level of security, but the EV is still very important in our daily lives.

Today, phishing websites are unfortunately still a major threat to legitimate websites and online services. These cybercriminals use DV certificates, usually obtained from a free SSL service that does not conduct adequate phishing checks, to make their sites appear more trustworthy. They are able to easily deceive unsuspecting victims and trick them into disclosing financial or personal information.

A very strong increase in phishing has been observed since March 2020, with the beginning of lockdown and remote working for many people: the volume of phishing sites increased by 47% for the first quarter of 2020, and 82.7% of attacks phishers used DV SSL certificates. This problem is only growing and increases the need to verify identities online.

Image source : TheDigitalArtist via Pixabay

Author: Charlotte HARARI

Chargée de Clientèle SSL - Gestion des certificats - Nameshield group