EV SSL doesn't mean the same thing on all browsers. Who has the best approach?
I'm a fan of EV SSL. Like a lot of
security technologies, it's far from being a silver bullet, but it's helpful.
It's also, perhaps, harder to implement than it may at first seem.
EV SSL is short for Extended Validation
Secure Sockets Layer, and refers to a special class of x.509 digital
certificate particularly for Web servers. It was developed by an industry
consortium called the CA/Browser Forum,
which is made up of certificate authorities and browser vendors (notably, not
One part of EV SSL that makes it both
more authoritative as a certificate and more expensive as a product is that
there are detailed and strict requirements in the specification (PDF)
for how certification authorities verify the applicants for a certificate.
The spec is full of checks that the CA "MUST" perform.
The other part of EV SSL is that it
mandates a change in browser behavior: The browser address bar turns green when
viewing an EV SSL site, and there are other
guidelines for making the certificate holder's name more prominent. With
earlier browsers and certificates, actually checking the cert holder's name
could be quite a convoluted process.
So what does it mean when the browser address bar turns green? Under the EV SSL
rules, it means that the top-level document is signed by an EV SSL
certificate signed by a trusted certificate authority, the biggest of which is VeriSign.
But the top-level document isn't all there is to a Web page. Pages from the
sorts of big commercial entities that would buy EV certificates are often
composed of elements from numerous domains, and the EV spec does not require
that all of them have EV certificates. For instance, use Internet Explorer 7 or
Firefox 3 (still pre-release) to look at the home page of PayPal.
the poster child for EV SSL, and it has
decided to do everything it can to protect its brand and identity. But it hasn't
got there yet.
The top-level document and some key elements, like the main PayPal logo,
have EV certs. But other elements on the page, such as this
do not. Browse the first one and you get a green bar; browse
the second one and you don't.
What are the implications? It makes cross-site scripting attacks more
serious, because the user will still see the green bar even though portions of
the page are from a different site unprotected by the EV certificate. I don't
want to overstate the danger of cross-site scripting, but neither do I want to
understate it. Some very famous, important sites have experienced cross-site
scripting attacks. They are difficult to eliminate because it requires consistent,
good programming practices. You can't just plug in a security product to take
This problem will start to become a little more pronounced soon, when users
start using the next generations of the Firefox and Opera browsers. Both
support EV SSL and will thus increase the
awareness of SSL. (Apple appears to have no
plans for EV SSL support in Safari.) One
difference about them, as opposed to IE 7, is that they do not turn the whole
address bar green, but just a small portion of it; I have to say I prefer the
IE approach, but it's a little early to say one is right and the other wrong.
But Opera goes one major step further than the other two browsers: It does
not turn the address bar green unless all
the elements on the page have EV SSL
certificates. The following sites all show green bars in IE 7, but not in Opera
9.5 (Beta 2):
There are sites that make Opera go green, though, including these:
For the most part, the sites that go green in Opera are simple ones and not
high-profile, the Deutsche Bank site being an obvious exception. Still, it's
I'm always leery of making the perfect the enemy of the good. I wish that
more browsers were stricter about EV SSL, or
at least offered a strict mode. But that doesn't mean that EV SSL
is not a useful thing. It is, and the sorts of sites that might be phished
really should adopt it. A good plan for adoption of EV SSL
would also include a concerted effort to remove the sorts of vulnerabilities
that could diminish its value.
Editor Larry Seltzer
has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take
a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.