Extended Validation SSL


We received and interesting comment in reply to the blog post http://www.eset.com/threat-center/blog/2009/10/13/phishing-the-fbi-and-terror. Joseph A’Deo, who apparently works for Verisign, mentioned the use of extended validation SSL (EV SSL).

I am sure that some of you are familiar with EV SSL. Some of you have seen the results of it and perhaps not noticed. Some of you probably are completely unaware of EV SSL.

Let’s start with SSL. In a nutshell, it is what is used to make an https web site. This means that the data between your computer and the web site you are visiting is encrypted. This does not mean the other web site is safe. When you visit a web site that starts with https your browser shows a padlock. Some people think this means it is secure, but it really only means that the data, such as your user name and password, will be encrypted. It is pretty easy for someone to get an SSL certificate so that they can use https on their website.

EV SSL means that the organization, such as Verisign, has done a more thorough background check on the person or company that they are issuing the certificate to. This is a good thing. When I worked at Microsoft, Verisign gave someone a couple of Microsoft digital certificates and the people didn’t even work for Microsoft!!!

When a web site used EV SSL the browser will look a little different to let you know it is an EV SSL site. One problem is that different browsers display EV SSL differently and none of them tell you why it might look different. Another problem is that it is unclear if any significant percentage of the population even notices the difference and if they do notice they probably don’t know what it means.

EV SSL is at best a pretty anemic approach to security. It is better than nothing, but I suspect it is predominantly ineffective.

To prevent phishing attacks EV SSL is no match for conscious computing. Don’t ever click on a link in an email from a bank, PayPal, eBay, or any other place that you are going to enter your user name, a password, a PIN, or other important information.

Randy Abrams
Director of Technical Education

Author , ESET

  • Joseph A’Deo


    Thanks for responding to my comment. I am definitely in agreement on one thing — the reason phishers continue to succeed is that end users compromise their own data, and clicking on links in emails is a common mistake. But we feel that a multiple layered approach to security is best; just to give an example, phishers often embed false links via other routes as well (Twitter, etc) where following urls is not often seen as an issue. If users, however, can immediately see that a Web site is either a potential phishing site or one that has gone through extensive authentication checks (as EV SSL provides), this will no doubt benefit them.

Follow us

Copyright © 2016 ESET, All Rights Reserved.