Extended Validation SSL certificates

Story

In 2005, Comodo Group CEO Melih Abdulkhayoglu convened the first meeting of the organization, which would later become the CA / Browser Forum. The purpose of the meeting was to improve the standards for issuing SSL / TLS certificates. On June 12, 2007, the CA / Browser Forum officially ratified the first version of the Advanced Verification Guide, and the document took effect immediately. Formal approval has completed the provision of infrastructure for the identification of trusted websites on the Internet. Then, in April 2008, the CA / Browser Forum announced the release of a new version of the Guide (1.1). The new version was based on the experience of certification authorities and software manufacturers.

The motivation for obtaining a certificate

An important motivation for using digital certificates with SSL / TLS is to increase trust in online transactions. This requires website operators to be tested to obtain a certificate. However, commercial pressure has prompted some certification authorities to introduce lower-level certificates (domain-validation). Domain validation certificates existed before extended validation and, as a rule, obtaining them requires only some confirmation of domain control. In particular, domain validation certificates do not claim that this legal entity has any relationship with the domain, although it may be written on the site that it belongs to a legal entity.

At first, the user interfaces of most browsers did not distinguish between domain validation and extended validation certificates. Since any successful SSL / TLS connection resulted in a green lock icon in most browsers, users were unlikely to know if the extended validation site was confirmed or not (as of January 2019, Chrome removed the green icons in the browser). As a result, scammers (including those involved in phishing) could use TLS to increase the credibility of their websites. Users of later browsers can always verify the identity of certificate owners by examining the information about the issued certificate that is indicated in it (including the name of the organization and its address).

EV certificates are checked for compliance with both basic requirements and compliance with advanced requirements. Manual verification of domain names requested by the applicant, verification by official government sources, verification by independent sources of information, and telephone calls to the company are required. If the certificate was issued, the serial number of the company registered by the certification authority, as well as the physical address, are stored in it.

EV certificates are designed to increase user confidence that the website operator is a truly existing organization. Nevertheless, there is still concern that the same lack of responsibility that led to the loss of public confidence in DV certificates will lead to the loss of the value of EV certificates.

Delivery Criteria

Only certification authorities that have passed an independent qualified audit can offer EV certificates, and all centers must follow the release requirements, which are aimed at:

• Establishing the existence of a legal entity and site owner;
• Establishing the fact that a legal entity does own this domain;
• Confirmation of the identity of the owner of the site and the authority of persons acting on behalf of the owner of the site.

With the exception of EV certificates for .onion domains, it is not possible to obtain a wildcard certificate with Extended Validation - instead, all fully qualified domain names must be included in the certificate and verified by a certification authority.

User interface

EV-enabled browsers show certificate availability - usually a combination of the name of the organization and the location of the organization. Browsers Microsoft Internet Explorer, Mozilla Firefox, Safari, Opera and Google Chrome support EV.

Extended verification rules require participating certification authorities to assign a specific EV identifier after the certification authority has completed an independent audit and other criteria have been met. Browsers remember this identifier, match the EV identifier in the certificate with the one in the browser for the certification authority in question: if they match, the certificate is recognized as valid. In many browsers, an EV certificate is signaled by:

• The name of the company or organization to which the certificate belongs.
• A distinctive color, usually green, displayed in the address bar, which indicates that the certificate was received as HTTPS.
• The “lock” symbol is also in the address bar. By clicking on the “lock”, you can get more information about the certificate, including the name of the certification authority that issued the EV certificate.

Update! 09.29.2019

Google Chrome version 77 is released now for Windows, Linux, macOS, ChromeOS, IOS and Android users. The new release removed the UI indicator for Extended Validation (EV) certificates from the browser's address bar, it is also known as "Green Address Bar".