Business Value of EV Certificates - Center

8
Protecting Your Brand & Customers
The Business Value of Extended Validation SSL Certificates
Published April 2009
Version 1.1
Abstract
Deceptive e-mail and malicious web sites are increasingly compromising users’ personal information,
damaging their online trust and confidence, and tarnishing brand’s online reputation. Microsoft has
responded to these threats with several solutions incorporated into Internet Explorer 8, focusing on the
support for Extended Validation SSL Certificates (EV Certificates). This paper is designed to help
businesses understand the business value of EV Certificates, describe how their use fits into a broader
Internet defense and breadth strategy, and offer a review and outline of the process for obtaining the
certificates for their websites.
Contents
Introduction ................................................................................................................................................. 1
Business Value of EV Certificates ............................................................................................................. 1
How Internet Explorer and EV Certificates Work Together .................................................................... 4
EV Certification Specifications and the Issuing Process ...................................................................... 6
Obtaining EV Certificates ........................................................................................................................... 6
Summary ...................................................................................................................................................... 8
Acknowledgments ...................................................................................................................................... 8
Resources .................................................................................................................................................... 9
The information contained in this document represents the current view of Microsoft Corp. on the issues discussed as of the date of publication. Because Microsoft
must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the
accuracy of any information presented after the date of publication.
This guide is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be
reproduced, stored in or introduced into a retrieval system, or transmitted in any form, by any means (electronic, mechanical, photocopying, recording or
otherwise), or for any purpose, without the express written permission of Microsoft.
Microsoft may have patents, patent applications, trademarks, copyrights or other intellectual property rights covering subject matter in this document. Except as
expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks,
copyrights, or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are
fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be
inferred.
Microsoft, Internet Explorer, the Internet Explorer logo, SmartScreen, Windows, Windows Server, and Windows Vista are trademarks of the Microsoft group of
companies. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
© 2009 Microsoft Corp. All rights reserved.
INTRODUCTION
Deceptive e-mail, phishing, and malicious web sites have grown exponentially, increasingly compromising
unsuspecting users’ online trust and confidence. These threats have emerged across nearly all business
sectors, from ecommerce and banking to government services, not-for-profits, and academia.
Consequently, the brand reputations of leading web sites (including top ecommerce and banking sites)
are being tarnished. Users are increasingly concerned that a given website may not really be who or what
it claims to be. An increasing number of customers will not click on links that would otherwise take them
to a brand’s website for fear of malware or related threats. Other users decide not to complete website
transactions when they reach the point of having to enter confidential information. User hesitancy in
sharing confidential information impacts a business’s ability to communicate with its customers, conduct
ecommerce and online banking, or exchange information with social networking sites.
Extended Validation SSL Certificates (EV Certificates) are proving to be a solution to these threats and
are a critical component of a site’s layered defense strategy. Through the verification and audit process,
EV Certificates are an added barrier and tool to help combat deceptive and illicit businesses, providing
differentiation and recognition for holders of EV Certificates. EV certificates represent a standard now
adopted worldwide by all leading browsers. It is recommended that web sites which conduct online
transactions and use log-on credentials evaluate EV certificates as part of their security and brand
protection strategy.
This guide is designed to help businesses and site owners understand the business value of EV
Certificates, and offer a review and outline of the process of qualifying for them. For technical
implementation information including an implementation guide, visit www.microsoft.com/ie/ie8. Additional
information is available from the Certificate Authority / Browser Forum (CA/B Forum)
http://www.cabforum.org and from the Authentication and Online Trust Alliance (AOTA) EV SSL Certificate
resource center www.aotalliance.org/resources/EV.
Business Value of EV Certificates
By implementing EV Certificates, websites can help provide assurance to their users that a website is in
fact the site that their users intended to visit. In the two years since EV Certificates were first introduced,
they have demonstrated that sites that implement them realize significant benefits ranging from increased
transactions and click-through, to reduced shopping cart abandonment. EV Certificates are proving to be
a valuable tool for rebuilding consumer confidence and brand protection by communicating to the user
clear visual indicators of validated site identity and the related security of the content being exchanged on
the site.
1
Today consumers are faced with increasing levels of deceptive emails, a proliferation of look-alike sites
targeting credit card fraud, identity theft, and privacy abuses. Users are finding it difficult to distinguish
the fraudulent sites from their legitimate counterparts. They are understandably hesitant to connect for
online financial, ecommerce, and other sensitive transactions and they may limit the information they
share with these websites. Brands are damaged when the user has no way to distinguish a spoof site
from the real business site.
Historically, companies conducting ecommerce and obtaining personal data have adopted SSL
certificates to help to communicate the legitimate identity of their site. The SSL certificate contains
information about the identity of the certificate holder, the domain that the certificate was issued to, and
the country it was issued in. The certificate is installed on the server and is used to encrypt the data traffic
as well as help identify the given website via an https:// connection.
While SSL was designed to provide secure connections in order to protect information from being
accessed by 3rd parties, online criminals and deceptive businesses have been able to obtain ‘valid’ SSL
certificates for their sites. This problem has partially manifested due to the lack of a uniform validation
process across certificate providers. In addition SSL certificates have become somewhat commoditized,
allowing them to be easily obtained under false pretenses. Many deceptive and phishing sites have
secured commonly misspelled domain names and use mixed language character sets, all in an attempt to
get a user to “trust” the site and share personal information. As a result users can be fooled into thinking
they are on the intended or legitimate website.
In order to provide users with a higher level of trust, Microsoft, other browser developers, and over twodozen certificate providers created the Certificate Authority/Browser (CA/B) Forum, an industry–wide
effort, and developed the Extended Validation SSL Certificate (EV Certificate). Working with the American
Bar Association, a standardized authentication and identity process has been created that every
Certificate Authority (CA) must follow. This process not only helps to avoid issuing certificates to
deceptive sites, but also provides consistency of implementation.
In October 2006, Microsoft introduced Internet Explorer® 7 as the first browser to support EV Certificates
and continues to provide security innovation with Internet Explorer 8. In contrast to sites with traditional
or no SSL certificates, Internet Explorer indicates sites with EV SSL Certificates by flooding the Address
Bar in green, allowing users to instantly ascertain their presence. In addition, Internet Explorer displays
added details about the business such as location and country of incorporation. This information
alternates between the certificate holder and the name of the CA that issued the certificate.
With the standardization and availability of EV Certificates, businesses now can benefit from increasing
the trust of online users. It is estimated by the CAB/Forum that EV Certificates have been adopted by
over 10,000 sites worldwide including leading ecommerce, travel, and financial service sites. Early
adopters include Alaska Airlines, AutoZone, Banque National du Canada, British Airways, Banque de
Poste, Bank of America, Beijing Rural Commercial Bank, Charles Schwab, Deutsche Bank, eBay,
2
Escrow.com, Facebook, FedEx, HSBC, PayPal, Pitney-Bowes, Microsoft, Travelocity and Vanguard.
Governmental organizations such as the Internal Revenue Service (IRS) and the Arizona Department of
Education along with academic and not-for-profit sectors including the Michigan State University and the
United Way have adopted EV Certificates to counter phishing exploits and online deception. Even sports
teams like Britain’s Manchester United have adopted EV SSL certificates.
Email and interactive marketing continues to be a robust and growing mechanism to communicate,
conduct commerce, and build customer relationships. While businesses have a desired call-to-action in
their email and advertising campaigns, in each case users must have confidence that they really are
interacting with the site they are expecting. The visual cues and validation provided by using EV
Certificates with Internet Explorer help address these concerns.
EV Certificates can help ecommerce sites benefit from increased user confidence by providing the user a
strong and obvious visual cue which assures that the site is who it claims to be. One of the indicators of
diminished consumer confidence is the level of “shopping cart” abandonment a site encounters.
Numerous studies indicate that by implementing EV Certificates sites can lower the level of cart
abandonment and increase site revenues. For example, Overstock.com reported an 8% reduction and
Fitness Footwear reported a 13% reduction in cart abandonment. Canadadrug.com reported that after
implementing EV Certificates 33% more of the purchases were completed with 27% higher sales per
transaction.
Increased click-through rates and online responses benefit not only ecommerce sites, but not-for-profits
and governmental agencies who are all striving for cost savings and online efficiencies. But these
benefits can only be gained if customers respond, use the services and take action. Many sites who have
adopted EV Certificates are now reporting such benefits. It is anticipated that as consumer awareness
grows, sites which implement EV Certificates will realize a competitive advantage. For example, Flagstar
Bank, an early adopter of EV Certificates has reported that users who recognized the EV green address
bar presented in Internet Explorer 7, enrolled 10% more than those who did not.
EV Certificates, when used in conjunction with a web browser which offers integrated protection features
from emerging threats, are becoming critical tools for increasing user trust and protecting online brands
from abuse. By implementing EV Certificates, businesses can help remove one of the largest obstacles
that prevent users from sharing personal information and completing online transactions.
3
How Internet Explorer & EV Certificates Work Together
Internet Explorer and websites’ EV Certificates work together to benefit the user. EV Certificates address
security issues by enforcing process changes in the certificate issuance process. Users are provided
assurances of the website’s identity through visual information displayed by the web browser.
Internet Explorer 7 and Internet Explorer 8 display a number of indicators when a valid EV Certificate is
provided by the website (see Figure 1). Specifically:
1. The background of the Address Bar changes to green, in conjunction with the the Domain
Highlighting feature which present the domain name in black and the other characters in gray.
2. The familiar gold SSL padlock icon is displayed in the new Security Status Bar, located in the right
portion of the Address Bar
3. The Security Status Bar alternates between two displays:
a. The name of the legal entity which is identified for the website, (in this case PayPal, Inc.)
along with the name of the country identified as the place of business in the EV
Certificate
b. The identity of the Certificate Authority (in this case VeriSign) issuing the EV Certificate.
The Security Status Bar also provides an easy way for users to view more information (see Figure 2).
Hovering the cursor over the padlock and certificate holder text highlights the area, and a popup is
displayed with more information about the EV Certificate. Clicking on the Security Status Bar will bring up
the security report window containing more detailed information from the certificate.
4
5
EV Certificate Specifications and the Issuing Process
The CA/B Forum, a consortium of certification authorities, browser vendors, and the American Bar
Association, developed formal guidelines to mandate uniform business practices in issuing EV
Certificates. The issuing process behind EV Certificates helps ensure that the entity behind a site is
exactly who it claims to be. Certificate Authorities (CAs) that issue EV Certificates have agreed to
perform a consistent set of steps to verify the information provided by the business entity making the
request. Through this audit process, the CA asserts certificate integrity on every certificate they issue.
Several elements are built into the EV Certificate specification that help protect the certificate and keep its
information from being compromised. Secure hash functions help prevent the certificate itself from being
tampered with. Adding to the integrity, the EV infrastructure validates that the certificate holder remains in
good standing though real time, dynamic checking. To protect against the possibility of either a) a
certificate holder no longer meeting the validation criteria, or b) an EV being issued erroneously or by an
unscrupulous CA, the Microsoft Root Store service can revoke the EV Certificate from the root store at
any time, which would result in the user receiving a certificate error warning page as well as the disabling
of the green address bar and all other visual trust indicators.
It should be noted that the EV Certificates focus only on the identity of the subject named in the
Certificate, and not on the behavior of the subject, nor the security of the site. As such, an EV Certificate
is not intended to provide any assurances, or otherwise represent or warrant that:
1. The subject named in the EV Certificate is actively engaged in doing business
2. The subject named in the EV Certificate complies with applicable laws
3. The subject named in the EV Certificate is trustworthy, honest, or reputable in its business
dealings
4. It is “safe” to do business with the entity named in the EV Certificate
Nevertheless, EV Certificates do fulfill the goal of helping to ensure that the entity behind a site is exactly
who it claims to be, allowing users to precede with on-line transactions with confidence that they are on
the site they intended to visit.
Obtaining EV Certificates
The first step toward getting up and running with EV Certificates is to apply for one from an issuing CA.
EV Certificates are available from over 25 CAs worldwide. While traditional SSL certificates can be
obtained within hours, businesses should plan for 2-5 business days to obtain an EV Certificate.
6
Since EV Certificates are identified using an existing certificate attribute, there is no technical change to
the underlying encryption or certificate structures. No changes are necessary to a site’s infrastructure to
support an EV Certificate. EV Certificates represent no increase in encryption or additional key length
security, nor make it harder to crack the content of an SSL transaction. As such they currently do not
require more server processing time, additional SSL accelerators or user PC resources.
Regardless of which CA a business works with, the actual process of validation and issuing will be
consistent for all CAs. Administrators need to complete steps in the paperwork process such as providing
details about corporate structure and incorporating locale, listing corporate officers, and other entityrelated details. In addition, administrators will need to create a certificate request, following the process
used today for SSL certificates. Once the validation process is complete and the CA has verified the
information, the CA issues the EV Certificate. Administrators then can follow the same installation process
used today for SSL certificates to install EV Certificates onto servers.
In applying for your EV Certificate the following is an example of some of the required information:
1. Proof of business registration or incorporation depending on the type of business or organization.
For example, a certificate of incorporation including the Applicants’ Jurisdiction of Incorporation is
usually required to verify the identity of a corporation. (Note: your “Who is” record needs to be
consistent with your certificate of business or organization’s incorporation).
2. Verified physical address, phone number of business presence, (PO addresses are not accepted)
3. Independent third-party validation of all documents
4. Verification of applicant’s ownership of domain name(s) via the Internet Corporation for Assigned
Names (ICANN) and data in the public “Who Is” database, showing the physical address and
name of the administrative contact for the organization
5. A corporate officer or business principal must assert the claims made in EV application
6. Verification that the applicant and signer are authorized agents of the applicant, including a legal
opinion, accountant letter, and or corporate resolution
For a comprehensive list of EV Certification criteria, contact your CA or visit the CA/B Forum web site at
www.cabforum.org for a listing of CAs. EV guidelines may be found at
www.cabforum.org/EV_Certificate_Guidelines.pdf.
.
7
Summary
Deceptive e-mail and malicious web sites are increasingly damaging users’ online trust and confidence.
User hesitancy in sharing personal information impacts a business’ ability to communicate with its
customers, conduct ecommerce, or exchange information. Extended Validation SSL Certificates (EV
Certificates) are proving to be a solution to this problem, and can be easily implemented by brands and
website publishers. In addition, when compared to SSL certificates, there is no impact to site
infrastructure or performance.
An EV Certificate contains verified information about the legal entity behind a website, allowing users to
make better trust decisions about who they are transacting with on the Internet. Because the entity
verification process is uniform to all issuing CAs, users are becoming more comfortable recognizing and
trusting a site when it displays the EV indicators.
Making the decision to implement EV Certificates on a company’s website is easy. Site owners and
administrators simply need to contact their existing CA for information on the costs of upgrading and
replacing their existing SSL certificates with EV Certificates.
Business and users are encouraged to deploy Internet Explorer 8 to maximize online safety including
enhanced, dynamic anti-phishing and anti-malware protection via the SmartScreen® Filter, Domain
Highlighting, and Cross-site Scripting Filter. When EV Certificates are combined with a browser which
has been hardened against a range of attacks and exploits, users and businesses alike can realize an
unparalleled level of online trust, confidence and peace of mind.
Acknowledgments
Thanks to the following organizations and companies for their input on this paper: Authentication and
Online Trust Alliance (AOTA), Anti-Phishing Working Group (APWG), Certificate Authority Browser Forum,
DigiCert Inc, Entrust Inc, GoDaddy.com Inc, PayPal, Inc., and VeriSign, Inc. for their support and editorial
input.
8
Resources
Internet Explorer 8
www.microsoft.com/ie8
Extended Validation EV SSL Certs
www.microsoft.com/ie/ev
Internet Explorer 8 Privacy Features & User
Control
www.microsoft.com/ie/privacy
Consumer Advice
www.microsoft.com/protect
Microsoft Security Resources
www.microsoft.com/technet/security/tools
www.microsoft.com/security
Anti-Phishing Working Group (APWG)
www.antiphishing.org
Authentication & Online Trust Alliance
(AOTA)
www.aotalliance.org
CA/B Forum
www.cabforum.org
9