: SSL versus EV SSL As I understand it, SSL certificates verify the connection between the host and the browser, preventing MITM attacks. Is it true that EV SSL verifies the host itself, thus
As I understand it, SSL certificates verify the connection between the host and the browser, preventing MITM attacks. Is it true that EV SSL verifies the host itself, thus preventing (in theory) phishing attacks? Are there any other differences between EV SSL and regular SSL?
More posts by @Shakeerah822
2 Comments
Sorted by latest first Latest Oldest Best
Is it true that EV SSL verifies the
host itself, thus preventing (in
theory) phishing attacks?
Correct, that's the theory, and after having gone through an EV application, I can report that they are incredibly stingent. Our company address was oh-so-slightly different in our application as to what was listed in some company register they were referring to, and our application was rejected multiple times until we got all of the details sorted out.
SSL certificates are used for setting up an encrypted connection between client and server. The identity verification part is in theory done by the certificate issuer before issuing the certificate.
But the SSL market is a bit of a scam, really. Many SSL certificates are issued with an absolute minimum of verification of identity. You can easily find SSL certificates for less than 20 USD, and how much detective work can you get for 20 USD... And mind you, these are not self-signed certificates, but certificates with the same root as the expensive ones from Comodo, Thawte etc.
Extended Validation (EV) certificates are only different in one aspect, but it's an important one: There are clear minimum standards for the verification of identity before issuing the certificate. Based on this, all modern browsers give EV certificates a much more prominent treatment in the user interface -- the 'green bar'.
So the big question for site owners is "Do EV certificates reduce abandonment rate?". Predictably the certificate issuers have released whitepapers stating that they do work, and are worth their much higher price tags. I'm not so sure. I have looked for independent proof of this, and I haven't seen any yet.
Getting a regular SSL certificate is easy, getting an EV one is much harder. You'll generally have to jump through more hoops to establish your identity for EV certs.
Is it true that EV SSL verifies the host itself, thus preventing (in theory) phishing attacks?
They help, but they do not prevent phishing attacks. A phishing attack is someone else impersonating you, in any media from websites to the telephone or fax. If your users look for the EV green bar with your company name, then a EV cert offers some protection against phishing on the web. But how many users really pay attention to this? I'm guessing it's a minority.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.