Will the real website owner please stand up?
How EV certificates reveal who is really behind a website
By Jay Munro
I use the web for everything I can—from banking to making restaurant reservations. If a company doesn’t have a website, I probably won’t do business with them. But doing business online does include an element of risk. Theft and deceit via phishing scams are sometimes hard to recognize. If you’re like me, you want to know if the website you’re visiting is run by the organization you expected and therefore probably trust.
I use Windows Internet Explorer 7 and lately, when visiting websites like eBay and PayPal, I’ve noticed that the Address bar is green. So what does that mean? A green Address bar lets you know that you’re connected to a website whose ownership has been verified by a trusted certifying authority. It means that the site is using an Extended Validation SSL (Secure Sockets Layer) certificate, or EV certificate.
 |
| The Address bar turns green when a website uses an EV certificate |
When a website uses an EV certificate, Internet Explorer 7 turns the Address bar green. The right side of the Address bar alternates between displaying the name of the website owner and the name of the certifying authority that issued the certificate. An EV certificate means that the website owner has gone the extra mile to assure you that its website has a legitimate business behind it. Unfortunately, it doesn’t mean that the business can’t rip you off, but if they do, at least you’ll know who did it and where to find them.
What’s a certificate?
Even if you haven’t heard of certificates, you’ve probably seen the little lock 
that shows up on the Security Status bar—part of the Address bar in Internet Explorer 7—or on the Status bar at the bottom of the window in earlier versions of Internet Explorer. You might also know that the lock means you have a secure connection to a website. Certificates are the bits of digital code that turn on the little lock and make an encrypted connection—known as a Secure Socket Layer connection, or SSL—to keep information private between you and the website. But did you know that a certificate is also meant to verify the identity of the organization or owner behind a secure website?
A certificate is issued by a trusted company called a Certification Authority (CA) who verifies the identification of the holder of the certificate. Examples of CAs include VeriSign, Comodo, and GoDaddy. You can see this information by clicking the lock icon in your browser, which opens up a security report that shows you the information the CA guarantees, such as the business name, the website name (domain), or how long the guarantee is good for. In the early days when there were only a few CAs, certificates were pretty costly and required that an applicant provide a good deal of information. The process a website owner had to go through to get a certificate was often enough to keep phishing sites (who don’t want you to know who they are) from using SSL or secure connections.
 |
| The Security Status bar in Internet Explorer |
 |
| To view the security report, click the lock, organization, or CA name in the Security Status bar |
Not all certificates are equal
While all certificates let a website make an SSL connection (and display the little lock icon in your browser), you don’t always get all the information you need to make a decision as to whether to trust a website. As the number of Certification Authorities increases, and prices for certificates fall, some certificates are issued that don’t contain any information about the ownership of the websites using them. The information on these lower-priced certificates just specifies that the website address and domain are really what the CA said they were, and not a look-alike website that is using foreign or other characters. For example, a certificate might certify that “microsoft.com” was not “micr0s0ft.com” (using zeros instead of the letter ‘o’ ).
This means it's possible for the bad guys to set up phishing sites with a secure connection to fool you into parting with your money or personal information. They register a legitimate website, but use tricks in the address to make it look like another site. You see the lock icon, and unless you look closely at the certificate, or at the address of the site, you might not notice that this isn’t the website you expected. Now, while I’m saying it’s possible for this to happen, you should know that most legitimate CAs will do some basic checking into the site owner, even on the lowest price certificates.
 |
| The trusted website you expect (www.contoso.com) is displayed on the left of the Address bar, but scroll to the right, or hover over the address, to see the actual address (192.168.12.145) of the malicious website |
Offering cheap certificates is a service to many websites (my son uses one on his blog site), but if consumer confidence drops, it could be bad for business. In the past, the problem was that there wasn’t a standard for the type of information that would give a user enough confidence to give personal or financial information (such as credit card numbers to buy stuff) to a website. The Extended Validation SSL certificate is the solution.
An EV certificate costs a bit more and includes a rigorous and standardized testing process. It’s based on comprehensive procedures that some of the Certification Authorities were already doing. By standardizing these procedures, you can be confident that the EV certificates offered by all Certification Authorities are well researched. It’s kind of like going to a foreign city and seeing a local hamburger or coffee chain store—you know what you’re going to get. To receive an EV certificate, a website owner has to prove where the business is located, who owns it, and whether the person requesting the certificate has the authority within the organization to do so, among other things. For the nitty-gritty details, read the “EV SSL Certificate Guidelines” document located on the Certification Authority/Browser Forum website.
When good certificates go bad
There are times when certificates go bad. A Certification Authority doesn’t just collect the money and issue a certificate—it acts as a clearing house for information about the certificate. When you go to a secure website, your browser (under the hood) connects to the CA and asks if the certificate is still valid. If the certificate is legitimate, you get a valid connection.
One of the most common certificate problems you might see is an expired certificate. You’ll find that a website you’ve been doing business with for years all of a sudden gets blocked with a page that displays the message: “There is a problem with this website's security certificate.” If you continue to the website, the Address bar turns red and a “Certificate Error” message displays in the Security Status bar.
 |
| The Address bar turns red when there’s a problem with a website’s certificate |
This can happen if the website owner isn’t paying attention to the expiration date on the certificate. The website is still encrypted, but the Certification Authority will no longer guarantee the integrity of the certificate. It could be that the website owner just forgot to renew the certificate, or it could be that a malicious ex-employee stole a copy of the out-of-date certificate (it’s a digital file) and is using it to do a little side business.
There are other errors too, such as a revoked certificate. This could mean the website company lost control of the secret private key used to keep your connection secure, or did something really nasty, such as obtaining the certificate fraudulently. Unlike expired certificates, Internet Explorer does not offer an option to continue to a site with a revoked certificate as a security measure. For more information, see About certificate errors.
Is that all there is?
Visiting websites that don’t have EV certificates isn’t necessarily a bad thing—it just means that there might not be enough information on which to base a trust decision.
While EV certificates are a standardized way of checking out an organization, Certification Authorities can use the same or similar procedures for their non-extended certificates. I use websites (like my bank and a couple of credit card companies) that don’t have EV certificates, but I usually double and triple check the website address in the Address bar to be sure it’s the domain I am expecting.
Going to secure websites sometimes take a little extra effort. The fact that I type in the website address (and don’t click it from a phishing e-mail that tells me my account is expired) makes a big difference too. The bottom line is that certificates can show you the information about the identity of the website domain, business, or owner. The question you have to ask yourself is this—is there enough information for you to feel comfortable about trusting the site? With Extended Validation SSL certificates, the CA industry hopes you’ll learn everything you need to answer that question.
About the author
Jay Munro is a writer on the Windows team at Microsoft, specializing in Internet Explorer. Previously, he was a project leader with PC Magazine labs and a freelance writer for PC Magazine, Extreme Tech, PC Today, C-Net, Computer Shopper, and other magazines.
Have a comment for this columnist? Enter your feedback using the tool below. (You'll see the comment box after you click one of the buttons.) Note that although the columnist will read your feedback, personal replies are not possible due to the volume of feedback received.
Phishing
A technique used to trick computer users into revealing personal or financial information. A common online phishing scam starts with an e‑mail message that appears to come from a trusted source but actually directs recipients to provide information to a fraudulent website.
Certificate
A digital document that verifies the identity of a person or indicates the security of a website. Certificates are issued by trusted companies known as Certification Authorities.
Blog
A frequently updated online journal or column. Blogs are often used to publish personal or company information in an informal way. Short for web log.
Help and How-to
