Web Security and Extended Validation Certificates

| TMO Quick Tip

Digital certificates make it easy for a company to let you know they are running a legit Web site -- meaning they're letting you know the Web site you're visiting isn't a cleverly crafted page designed to trick you into giving up personal information. There are ways, however, for people to get certificates for their Web site even when they shouldn't, so now we have Extended Validation certificates that require additional screening before they can be issued.

Identifying an EV certificate in Safari

Companies that issue digital certificates, or Certificate Authorities, can create an Extended Validation certificate only after a multi-step process that involves verifying the identity and operational status of the organization requesting the credentials.

Once issued, your Web browser will let you know when you visit a site that uses an EV certificate. Web browsers will typically highlight the site's name in green to, but there isn't much in the way of standardization for identifying EV certified sites beyond that.

Identifying an EV certificate in Firefox

In Apple's Safari Web browser, look to the right of the Web page's URL to see if a site is EV certified. In Firefox, you'll look to the left of the URL.

Since the iPhone is a little limited for screen space compared to desktop and laptop computers, the site's name will appear in green above the URL field.

The iPhone's EV certificate indicator

You can also identify Web sites that are using at least a standard authentication certificate by looking for a closed padlock icon somewhere in your Web browser window. Safari tucks the padlock icon in the upper right corner of your browser window, and Firefox tosses it into the lower right corner.

There isn't any way to completely guarantee that a Web site is always legit, but digital certificates and EV certificates make it easier to avoid potential phishing scams and the headaches that go along with identity theft.

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

Comments

jbruni

In a nutshell, EV certificates are a bit of a marketing ploy. Certificate Authorities, or specifically, Registration Authorities are supposed to validate the identity of those requesting certificates anyway. The actual technology behind “normal” certificates and EV certificates is exactly the same. If the RA’s were diligent before allowing CA’s to issue certificates, there would be no need for ?ber-checked certificates.

jbruni

Also, anyone can issue an EV certificate. One can do it using openssl. However, your browser isn’t preconfigured to trust them.

looper

Wadeaminnit, wadeaminnit—that last screenshot indicates that you’ve solved an unrelated problem, to which I didn’t know a solution existed.  If I type a URL that includes me.com (I’ve tried several, including https://auth.me.com/, for example, as well as http://www.me.com/) in Safari on an iPhone or iPod touch, I don’t get the MobileMe website—as far as I was aware, doing this always results in redirection to instructions for how to link the iPhone/iPod to one’s MobileMe account directly (i.e., through Mail, Calendar, Contacts, ...).  This is usually fine—why would you want to use the website interface to connect to your MobileMe data when you can use native apps instead?—but occasionally I have had a reason to check my wife’s account from my iPod touch, or mine from her iPhone, which this behavior prevents.  How did you actually get the website interface to open in iPhone/iPod Safari?

Joseph A'Deo

This is a great tutorial on recognizing EV certs, especially on the iPhone, the interface of which is slightly different from a normal browser. However, as a VeriSign online evangelist I also wanted to respectfully reply to some of the prior comments here. EV SSL is actually not the same as ordinary ssl technology—the green url bar itself, for example, is virtually impossible for phishers to replicate, adding a layer of confidence for consumers visiting websites that are likely for phishers to target. Additionally, while CAs are indeed required to check the identity of ordinary cert holders, EV SSL certs were developed to add more trust to websites that also need data point encryption, and the only way to acquire one is to purchase from an appropriate vendor and undergo a thorough CA background check (which requires information that is not required to obtain an ordinary cert and never has been). Bottom line: EV SSL provides more protection due to technology and procurement process.

jbruni

@Joseph A’Deo, I’m going to call BS on the EV cert. marketing nonsense. Yes, there is more process involved in getting an EV cert. And, yes, browsers draw a pretty green widget on the screen, but there is no fundamental difference between a X.509 cert. without the extended attribute and one with. If the extended attribute is present, the browser draws the widget. The over-the-wire encryption is exactly the same.

EV certs. were only created because CA’s (especially Verisign) dropped the ball in the trust department.

http://www.microsoft.com/technet/security/Bulletin/MS01-017.mspx

Imagine a state issuing a $100 premium drivers license that had special gold trim signifying that at the time you were issued the license, the state official actually measured your height and weight and eye color prior to issuing the license. Then when someone needed to see your ID, they could tell from the gold trim that you really were 5’10”, 175 lbs. and blue eyes. Awesome.

One might say that the state official could verify that you really were who you claimed to be with extra background checks prior to issuing the license and that would justify the extra $100. Except verifying the applicant’s identity was something they were supposed to do with in the first place with the original license.

Log-in to comment