Shorter Certificate Cycles Shouldn’t Mean Ignoring Extended Validation
In terms of browser buzz, the imminent removal of tracking cookies has dominated the headlines. Chrome, for example, has announced it will remove support for third-party cookies in favor of privacy-preserving application programming interfaces (APIs) which prevent individual tracking while still delivering results for advertisers and publishers.
However, another even more potentially impactful development is flying under the radar: A movement to speed up the secure sockets layer (SSL) certificate cycle, reducing validity periods to roughly 13 months to allow for a one-year period and then a one-month grace window for renewal.
The intention is to boost security, reasoning that shorter-term certificates will lead to a shorter lifespan for keys and, therefore, a shorter lifespan for compromised keys that can expose websites to hacks. This acceleration would also require annual updating of website owner information—such as company names, addresses and domains—which would increase user trust.
However, this will also put pressure on major brands (as well as smaller, lesser-known brands) to update their certificates more rapidly on a consistent basis, which could cause extended validation (EV) to go extinct.
So why should we care? Because there are three kinds of SSL certificates, and each one translates to different levels of security (or lack thereof):
Domain validation (DV): This one simply covers basic encryption and verification of the domain name registration owner.
Organization validation (OV): This does what DV does while authenticating certain details about the owner, such as name and address.
Extended Validation (EV): This is the highest level of validation, requiring a thorough examination to document the legal, physical and operational existence of the domain name registration owner. It proves that the company behind the website is indeed its true owner and comes with a signature for a certificate authority key.
The Rush to Certify
While it’s understandable that the pandemic brought on a new sense of urgency to present digital brands as trustworthy, the rush to certify could do more harm than good. The EV process can take up to a week, while businesses can complete the DV process in just hours or even minutes. If they opt for the latter due to the time factor, they are sacrificing trust; users will not know with absolute certainty that they’ve landed on a legitimate website.
All DV proves is that an entity owns the domain name, but that entity may very well be a hacker posing as a popular consumer brand. How will shoppers distinguish between legitimate e-commerce sites and malicious ones? If DV is the only option, then they won’t.
So how does an organization balance the “need for speed” here and a continued commitment to the most secure of validations? Here are three recommendations:
Plan ahead. To properly manage certificate portfolios, companies have to get ahead of expiration dates. Typically, verifying authorities need to go through key processes and conduct “callbacks” to owners after looking them up—which has become increasingly difficult in the post-pandemic era. So, owners/brands should add a month to the process to allow enough time for the authority to look them up.
Be consistent. In applying for a new certificate, owner organizations should review details for prior certificates submitted to ensure consistency. If ten different details are presented in ten different ways, for instance, it will confuse the certificate authority reviewing the information and possibly hold up approval.
Stay the Course. Browsers are committed to continue looking at ways to create the speediest, easiest browsing experience for consumers. While brands will be pressured to more rapidly update their certificates on a constant basis, they should not resort to opting for the ‘quickest’ option. Stay the course and stick to the most proven certification methods.
Businesses need to understand that—in addition to getting an SSL certificate quickly—that they have to build trust with consumers. People trust businesses they know—financial institutions, major retailers, public-facing government entities. These trusted brands are also the businesses that phishing attackers and fraudsters target the most due to high website traffic. If businesses are forced to opt for the less time-intensive validation certificate, security is being sacrificed and consumers will not know which websites to truly trust.
The upshot: DV, OV and EV come with a padlock in the corner and the OV certification process today is much more seamless with automation. However, there is potential for DV and OV padlocks to get spoofed leaving EV as the only true padlock consumers can trust to shop with confidence. A businesses’ most senior decision-makers also serve as the brand custodians. It is up to these individuals to allocate the proper time, attention and resources to their domain ecosystem so their consumers’ confidence never wavers. They say hard work pays off. Now is not the time to find shortcuts. It’s time to put in the hard work, even if it means sticking to the most proven certification methods.
