: EV SSL Certificates - does anyone care? Is any one aware of any data or studies from an impartial source that show the impact of EV SSL certificates on customer behavior? I've been unable

@Yeniel560

I too have been unable to find independent studies showing an increased perception of trust associated with the green bar.

Digicert published a white paper pompously titled "The Impact of Extended Validation (EV) Certificates on Customer Confidence" claiming that 59% more users "said they were most likely to enter their details" into a site displaying an EV SSL certificate vs. a regular one. But if you read how the study was done, it's ludicrous:


In a recent study, Tech-Ed taught 384 people that companies
with EV SSL Certificates on their website go through a more
rigorous validation process than those with standard SSL
Certificates. They also taught them that sites secured with
EV SSL Certificates could be identified by their green bar.
After completing the study, Tech-Ed found the following: [...]


There's also no mention of what exactly "Tech-Ed" was back in 2007 when it allegedly conducted the study.

Verisign published a white paper in 2009 citing a 10% increase in conversions for users in older demographics:


Japanese consumer products company Lion Corporation focuses
its E-commerce site on the elderly, who are often new to Internet
shopping and especially concerned about divulging personal information.
To help quell their fears, Lion adopted VeriSign® Extended Validation (EV)
SSL Certificates, which delivered 10% more conversions for users
who saw the green bar.*

*Your company’s results could vary. VeriSign, Inc. and its subsidiaries make no warranties of any kind (whether
or express, implied or statutory) with respect to the services described or information contained herein.


Wikipedia mentions no studies on the topic.

This article links to some studies showing that badges and seals (rather than EV certs) increase conversion rate.

Security expert Prof. Peter Gutmann stated that the new class of certificates restore a CA's profits which were eroded due to the race to the bottom that occurred among issuers in the industry:


The introduction … of so-called high-assurance or extended validation (EV) certificates that allow CAs to charge more for them than standard ones, is simply a case of rounding up twice the usual number of suspects—presumably somebody’s going to be impressed by it, but the effect on phishing is minimal since it’s not fixing any problem that the phishers are exploiting. Indeed, cynics would say that this was exactly the problem that certificates and CAs were supposed to solve in the first place, and that “high-assurance” certificates are just a way of charging a second time for an existing service. A few years ago certificates still cost several hundred dollars, but now that the shifting baseline of certificate prices and quality has moved to the point where you can get them for .95 (or even for nothing at all) the big commercial CAs have had to reinvent themselves by defining a new standard and convincing the market to go back to the prices paid in the good old days.

This déjà-vu-all-over-again approach can be seen by examining Verisign’s certificate practice statement (CPS), the document that governs its certificate issuance. The security requirements in the EV-certificate 2008 CPS are (except for minor differences in the legalese used to express them) practically identical to the requirements for Class 3 certificates listed in Verisign’s version 1.0 CPS from 1996. EV certificates simply roll back the clock to the approach that had already failed the first time it was tried in 1996, resetting the shifting baseline and charging 1996 prices as a side-effect. There have even been proposals for a kind of sliding-window approach to certificate value in which, as the inevitable race to the bottom cheapens the effective value of established classes of certificates, they’re regarded as less and less effective by the software that uses them (for example browsers would no longer display a padlock for them)


Users on serverfault also explain why SSL certificate classes don't make any difference and are just a marketing ploy.

2016 update

LetsEncrypt (which doesn't do any EV) has seen massive adoption (~2,000,000 certificates in 4 months):



Its certificate gets a near-perfect score of 'A' on Qualys SSL Server Test:

Vote Up Vote Down

@Ogunnowo487

EV SSL is a bit of a scam. It's basically a band-aid solution to a more fundamental problem—a breakdown in the chain of trust due to the lack of regulation in the issuing of SSL certificates. EV SSL certificates are basically there to do what regular SSL certificates were doing 10 years ago: to verify that a website is who it claims to be. That's why a chain of trust was created from the root CAs to make sure any site possessing an SSL certificate signed by a CA was on the level.

The reason you pay a CA an annual fee instead of creating a free self-signed certificate is because you need someone in the chain of trust to vouch for your identity. If the root CA is trusted, and they vouch for another CA, who in turn vouches for another CA, who vouches for another CA, who then vouches for somebank.com, then the chain of trust ensures that everyone is who they are, and the end user knows that somebank.com is really owned by Some Bank.

But for this to work, CAs need to do their homework and exercise some discretion in who they vouch for. If they certify another CA, they need to make sure that CA is trustworthy. If they certify a website, then they need to make sure it's not a phishing site posing as another company. That's the only reason to pay a CA for a signed certificate—because they're supposed to verify each site is owned by who they claim to be before issuing a certificate. And they're meant to verify this each year.

The creation of EV SSL is basically admitting that the original chain of trust is broken, that now there are CAs in the chain of trust that are neglecting their duty. So now we're going to create a new name for trustworthy certificates and make that the new standard. This basically makes all regular signed certificates worthless since end users can't trust that an SSL certificate signed by a trusted CA is actually any better than a self-signed certificate or one signed by an unknown company.

The real solution is to fix the chain of trust and force CAs to actually vet their certificate recipients and do their job. If a CA isn't doing its job, then it needs to be removed from the chain of trust. And this accountability should be required all the way up the chain to root CAs. Otherwise, we'll just end up with another level of certificates 10 years from now when commercial competition drives the price/quality of EV certificates down too.

Vote Up Vote Down

@Murray432

This is anecdotal evidence, not an impartial study or source, but when we implemented an EV Certificate we noticed almost no difference in sales. But that's mainly because we were a normal B2B commerce website, not a bank.

That said, yes, users are aware of what SSL is, but it didn't seem to make a huge difference to us. We used to run the entire website on SSL, and then decided to only switch the user to SSL during the login process (and keep them on SSL) and we actually found that traffic and sales increased (I don't know why?).

That said, you've hit the nail on the head - for us at least, it all seems to be about the perception of trust, rather than the actual act of encrypting the data.

Vote Up Vote Down