EV Certificates Enhance The Bottom Line, Not Trust
VeriSign has been very active in beating the Extended Validation certificate drum. I just have a real problem with EV certificates being sold as "better" than regular EV certificates. EV certificates don't change the security features of the resulting SSL connection. The green or red address bar doesn't tell us whether a Web site is trustworthy or not. But the green bar adds greenback to you
VeriSign has been very active in beating the Extended Validation certificate drum. I just have a real problem with EV certificates being sold as "better" than regular EV certificates. EV certificates don't change the security features of the resulting SSL connection. The green or red address bar doesn't tell us whether a Web site is trustworthy or not. But the green bar adds greenback to your coffers, regardless.I understand what EV certificates are supposed to impart, that the Web site represents a legitimate business. When generating non-EV SSL certificates, Certificate Authorities (CA) like VeriSign will, generally speaking, check that the person making the request for a server certificate is the rightful owner of the domain name, and is authorized to make the request. You can read the details in section 3.2 of VeriSign's Certification Practice Statement. Basically, if I wanted to request a SSL certificate for the Web site www.example.com, I would have to prove that I am the rightful owner of the domain and identify myself.
Extended Validation certificates, on the other hand, are supposed to communicate that the Web sites using them are somehow more trustworthy than Web sites that aren't using them. The idea being that prior to an EV CA issuing a certificate to a company, the issuing EV CA validates the company is a legal entity by checking its incorporation with the claimed state authority. The issuing EV CA also validates that other information supplied, like the company name, addresses, etc., are accurate. EV certificates also require the use of revocation validation. That's all great stuff. Revocation validation should have been required years ago.
The Diabolical Dichotomy
EV certificates sound great. Now I can be assured that a Web site with an EV certificate is a business worthy of my trust, right? Wrong! VeriSign, nor any CA issuing EV certificates, will make that claim.
From VeriSign's CPS, appendix B2b, (I did some grammar and format edits) we have:
... by providing more reliable third-party verified identity and address information regarding the owner of a website, EV Certificates may help to:
Make it more difficult to mount phishing and other online identity fraud attacks using SSL certificates
Assist companies that may be the target of phishing attacks or online identity fraud by providing them with a tool to better identify themselves and their legitimate websites to users
Assist law enforcement in investigations of phishing and other online identity fraud, including where appropriate, contacting, investigating, or taking legal action against the Subject [SSL certificate owner]
And in appendix B2c, we have:
... an EV Certificate is not intended to provide any assurances, or otherwise represent or warrant:
That the Subject named in the EV Certificate is actively engaged in doing business
That the Subject named in the EV Certificate complies with applicable laws
That the Subject named in the EV Certificate is trustworthy, honest, or reputable in its business dealings
That it is "safe" to do business with the Subject named in the EV Certificate.
So which is it? Based solely on the presentation of an EV certificate, can I trust the business associated with an EV certificate or not? The answer is NOT. The exclusions in the CPS make perfect sense because an EV CA is only validating that a company is, in fact, a legal entity. Period. Any trust or value ends there. How hard is it to set up a legal company? Not hard. A limited liability corporation (LLC) can probably be set up for less than $1,000.
The real question is what the user infers when using a Web browser that is capable of detecting an EV certificate. Green is good. Red is bad. White is neither good nor bad. Those visual clues cause a reasonable person to infer something far different than what is being asserted. What is being asserted by an EV certificate is that the Web site has been validated as a legal entity. What a reasonable person infers is a Web site that turns the address bar green is good, trusted; a Web site that turns the bar red is bad, untrusted; and a Web site where the address bar doesn't change is neither good nor bad. Depending on your outlook, that Web site with a white address bar could be questionable.
But wait. Wasn't the golden lock in Web browsers for the last 10 years telling us something similar? If you see a lock, your connection is safe and secure? Security professionals know that the lock means an SSL session is running, that the server has been authenticated, and that the data in motion is encrypted. Beyond that, we would have to examine the certificate contents to really see what the certificate signified. To people not versed in security and security protocols, locks are comforting. They see a lock and reasonable people think safety because that is the cultural icon we grew up with. If you ask users about the safety and security of the Internet, many non-tech-savvy people will tell you they are afraid of identity theft and scams. They see the stories in the news if not on a daily basis, then on a weekly or monthly basis.
The lock is a lie.
Now we have something new. A colored address bar -- who can miss that? The thing is, EV certificates tell us nothing useful. A Web site with an EV SSL certificate can still be run by scam artists. A Web site without an EV certificate can be run by honest and ethical people. The color of the address bar shouldn't denote trust. Green and red labels are overtly misleading.
The Business Case
VeriSign's outreach on the business case of EV certificates is clearly aimed to leveraging the cultural norms that green is good and red is bad. Therefore, if your Web site turns the address bar green, your Web site must be trustworthy, which means more potential customers will complete their sale. Thus, the investment in an EV certificate will pay off. Their claim that using an EV certificate results in a 30% climb in sales or a 48,000 percent ROI is separate from the meaning or trust implied by an EV certificate.
In late 2007, I spoke with Terence Johnson, VP of technology for Scribendi. Scribendi offers services to writers and is a VeriSign customer using EV certificates. Johnson stated that after Scribendi purchased and deployed their EV certificate, within a few months they saw an uptick in sales completion. Johnson attributes the uptick to the EV certificate. He says that the company was working on a big project internally; the company hadn't made any changes to the site; nor had they engaged in any marketing or outreach. The only change was the addition of EV certificate. That may very well be the case. Johnson certainly knows his business far better than I do.
Of course, I have to wonder why sales increased and if the increases are due to users trusting the Web site more because of the green bar or due to an understanding of the nature of EV certificates. In other words, would the results have been the same if the address bar turned green for any valid SSL certificate?
There is far more to trusting a business than a green address bar. Word of mouth recommendations, professional dealings with customers, good, a clear presentation of the Web site and what your business does, contact numbers and addresses that are readily available -- these all lead people to trust your business.
* You can check out revocation in IE7 by going to Tools->Internet Options->Advanced, then scroll down to Security and make sure the box next to "Check for server certificate revocation*" is checked. Then restart IE. Go to www.overstock.com, put something in a shopping cart and go to checkout. When you get to the SSL page, the address bar turns green. Now go back to that setting, uncheck "Check for server certificate revocation*", restart IE, and go back to you shopping cart on Overstock. The address bar is white.
The press release:
Businesses the World Over Report Substantial Bottom-Line Benefits from Deploying VeriSign EV SSL Protection
Online Merchants and Service Firms Discover Gold Lining When Their Customers See the Green Address Bar
Mountain View, Calif. -- July 28, 2008 -- Around the world, online businesses are reporting measurable -- and substantial -- bottom-line benefits resulting from their deployment of Extended Validation (EV) Secure Sockets Layer (SSL) Certificates from VeriSign, the trusted provider of Internet infrastructure services for the networked world.
Metrics reported by some of these organizations include an 87% increase in registration rates, a 30% climb in sales conversions, a more than 13% drop in abandoned carts, and a 48,000% ROI.*
VeriSign EV SSL helps online businesses build trust with their customers by offering an effective safeguard against phishing scams that lure unsuspecting consumers to sites designed to appear almost identical to genuine Web pages. Identity thieves use these fraudulent pages to capture credit card numbers, passwords, and other valuable personal information. When visiting sites protected by an EV SSL Certificate, Internet users using compatible high-security browsers see a green address bar. The green address bar tells consumers they have reached a Web site whose authenticity has been verified according to certain rules.
From North America to Europe and beyond, online merchants and service providers are among the more than 5,000 online businesses that protect their Web sites with VeriSign EV SSL Certificates (including VeriSign, GeoTrust, and thawte brand certificates). And in the process, they are watching their Web sites perform at unprecedented levels. Among the recent success stories:
Paper-Check.Com LLC, a San Francisco-based company that offers online document editing and proofreading services, especially to academic users.
Results: In tests, the company found that visitors who see the trusted green address bar are 87% more likely to complete the company's online registration process -- the key step in becoming a customer. View case study: www.verisign.com/papercheck
Central Reservation Service (CRS) provides a free hotel reservation service that offers attractive rates and special deals on both independently owned and familiar brand hotels and resorts, with no prepayment and no booking, change, or cancellation fees.
Results: Tests showed that customers who saw the green bar converted to purchase 30% more often than those who didn't see the green bar, far exceeding the company's expectations. View case study: www.verisign.com/crshotels
Dwell.co.uk markets a wide range of excellently priced contemporary furniture throughout the United Kingdom, with rapid delivery for in-stock items.
Results: The company reports that the EV SSL green address bar boosted conversion rates by 13.8% and monthly sales by £18,000 (more than $35,000). That increase represents an astounding 48,000% return on the company's investment in VeriSign EV SSL.
View case study: www.verisign.com/dwell
Fitness Footwear, Ltd. is the largest independent footwear retailer in the U.K. and the No. 1 supplier of several name brands, with its Web site accounting for 95% of its sales.
Results: VeriSign EV SSL protection delivered a 13.3% drop in cart abandonment and a 16.9% increase in conversions to sales. View case study: www.verisign.com/fitnessfootwear
Scandinavian Design Online AB, part of the Design Online Group, is one of the leading Web sites selling home and garden, interior design, and décor to a worldwide audience across multiple Web sites. View case study: www.verisign.com/sdo
Results: Two months after EV SSL implementation, the company saw an 8% increase in online conversion rates.
SISTIC, Singapore's No. 1 leading ticketing agency sells tickets for more than about 90% of Singapore's arts, entertainment, and sports events. SISTIC has an extensive ticket distribution network in Singapore and beyond in Malaysia and Indonesia.
Results: After deploying VeriSign EV SSL Certificates, SISTIC recorded a 14% increase in sales.
"The Internet is a fantastic tool, but customers are concerned about security on Web sites," said Richard Theobald, IT manager at dwell. "Our use of the VeriSign Secured Seal and EV certificates is one of our most important ways of instilling confidence in customers and assuring them that their information is secure when they do business with dwell."
In addition to seeing bottom line results from EV SSL, VeriSign customers are also seeing uplift from the VeriSign Secured Seal. U.S.-based Proof-Reading.com LLC, a provider of high quality business document proofreading and editing services, recently reported a 36% increase in registrations after it switched to the VeriSign Secured Seal, citing VeriSign's globally trusted brand as a major driver of the uplift.
View case study: www.verisign.com/proof-reading
"When a company makes the effort to provide a trusted online experience, customers respond -- and so does the bottom line," said Tim Callan, VP of SSL product marketing at VeriSign. "From soaring revenues and conversion rates to meaningful reductions in abandoned shopping carts, these online merchants are realizing real-world benefits from their reliance on VeriSign EV SSL Certificates. As these results show, EV SSL protection is an investment that keeps paying dividends."
When a Web site uses an EV SSL Certificate to identify itself, browsers including Internet Explorer 7 (IE7), Firefox 3, and Opera 9.5 display easily understood visual cues to provide tangible assurance of a site's authenticity. The browser adopts the "green glow," a highly visible green background on or adjacent to the browser's address bar. This green area contains the authenticated name of the organization that owns this site and can also indicate the name of the security provider that issued the certificate, such as VeriSign.
As the most respected and trusted SSL authority on the Web, VeriSign is the EV SSL Certificate provider of choice for more than 5,000 Internet domains, representing greater than 75% of the entire EV SSL Certificate market worldwide. In fact, over 95% of the Fortune 500 and the world's 40 largest banks secure their sites with SSL Certificates sold by VeriSign.** To learn more about VeriSign EV SSL, visit http://www.verisign.com/EV-SSL.
* Your company's results may vary. Contact VeriSign today to talk about how VeriSign can best address your company's security needs.
** Includes VeriSign's subsidiaries, affiliates, and resellers.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.