EV certificates help provide user assurance and foment trust. Removing them would open to the door to greater security issues.
When it comes to web browser security, we’ve all been told that a padlock icon means that the website we’re visiting is secure. Behind that little padlock lives a publicly trusted SSL certificate, a digital tool designed to validate the authenticity and identity of the company or party behind the website. This is important for two reasons: On the consumer side, these padlocks give us trust in our online interactions and a feeling of relative safety in our online browsing. On the business side, reputationally, it allows a company to give its site browser confidence and trust in its identity.
Technically, SSL/TLS certificates provide an encryption tunnel between a web server and a browser. There are essentially three different levels of publicly trusted certificates. The first is basic encryption, provided by what’s called domain validated (DV) certification. DV certificates are easy to obtain, usually requiring no more than a quick application and a small fee. The second, called organizational validated (OV) certificates, require more legwork as they’re issued once a website’s identification can be associated with a company. The third is enhanced validation (EV). EV certificates are commonly used by midsize to large enterprises, as they provide the greatest level of user assurance and visibility. EV certificates are an expense and take more time to obtain, but the time and cost is well worth it for the extra level of website confidence and trust it provides. EV certificates also put the company’s name in the address bar with the padlock icon. All levels of certificates are created and provided through a certificate authority, but not all certificates are created equal. The big browser manufacturers—Google, Safari, Firefox and Microsoft—are the last step to issuance, accepting or rejecting a website’s certification.
Back in 2005, a group of certificate authorities founded a forum with browser manufacturers called the CA/Browser Forum. The forum’s job, as a collective, was to continually design and modify tools and measures with the goal of internet security in mind.
Over the last month, the CA/Browser Forum and major browser manufacturers announced separate change measures that will drastically impact the internet’s landscape, perhaps unbeknownst to the average consumer.
Earlier in August, the forum announced a proposal to reduce the maximum validity of SSL/TLS certificates from two years (as is today’s practice) to one year, starting March 2020. At the same time, Google and Firefox announced plans to stop showing a company’s name in the URL bar, which means the elimination of EV certificates.
Browser manufacturers cite a few reasons for the change, namely that including the company name in the address bar takes up valuable real estate. They also claim that there isn’t a lot of proof that EV certificates harden a website’s security against compromise or attack. The alternative, they suggest, is making certificate issuance accessible and standard to all through a vendor such as Let’s Encrypt. Unlike the certificate authorities, Let’s Encrypt provides a one-size-fits-all, publicly trusted SSL certificate to websites for free. It’s a promising concept, especially given the number of websites today that have zero level of SSL certificate associated with their website. The problem with a one-size-fits-all approach is that the differentiators and barrier of entry that EV certificates provide is stripped away. This has significant potential impact in the business world, where companies are waging war against hackers who win through identity theft, impersonation and phishing. To the average user, every website will look the same from a security perspective, meaning that trust will equal trust, giving them no way to tell a validated authority from a malicious site.
While there is argument in making certificates broadly available to all websites, which would bring them to a level of standard validity, the reality is that the standard would remain low, as Let’s Encrypt and other companies only issue DV, or basic encryption, certificates. Hackers will still impersonate businesses, applying for certificates and building clone websites with the intent of phishing the business’s customers and prospects. A simple, low-cost application process means a hacker armed with a company’s basic information can complete the process and build a look-alike entity that can trick site visitors easily.
Outside CA/Browser Forum’s guidance measures, the world wide web remains relatively unregulated, meaning it becomes a playground of opportunity for opportunistic hackers willing to put the work in and a nightmare for unsuspecting and trusting website visitors.
In the grand security scheme, fundamentals such as certificates often are taken for granted and underappreciated in the role they play in the security of consumers and businesses in the digital marketplace. Yet, we’ve entered the age of security scrutiny and regulatory reform. Data privacy regulations, government and industry guidance means every business is committed to protecting its customers’ data and its own brand and reputation. Removing a company’s ability to demonstrate its level of authenticity to its visitors through certification strips it of its custodial responsibility and security due diligence. It also inadvertently opens a host of new security risks.
Publicly trusted certificates represented a level of trust in an untrusted internet. As security and trust professionals, our mission is to help foster digital trust; a seemingly innocuous browser update like this has the potential to eliminate trust in one simple swoop.