Extended Validation (EV) SSL Certificates

EV SSL Certificate – A certificate used to configure HTTPS support on a site.

To obtain an EV certificate, it is necessary to confirm the existence of the company on whose behalf the certificate is issued in a certification center. Browsers show information about the existence of the company both in front of the site’s domain name.

EV certificates use the same security methods as DV and OV certificates: a higher level of protection is provided by the need to confirm the existence of a company in a certification authority.

The criteria for issuing EV certificates are defined by a special document: Guidelines for extended validation, currently (from 1 August 2019) the version of this document is 1.7.0. The manual was developed by CA / Browser Forum, an organization whose members are certification authorities and Internet software vendors, as well as representatives from the legal and audit professions.

The motivation to get a certificate

An important reason for using digital certificates with SSL / TLS is to increase trust in online transactions. This requires that website operators are tested for a certificate. However, commercial pressure has prompted some certification authorities to introduce lower level certificates (domain validation). Domain validation certificates already existed before extended validation and, as a rule, only a certain confirmation of domain control is required to obtain them. In particular, the domain validation certificates do not state that this legal entity has any relationship with the domain, even if on the site it can be written that it belongs to a legal entity.

At first, the user interfaces of most browsers did not distinguish between domain validation certificates and extended validation certificates. Since any successful SSL / TLS connection led to the creation of a green lock icon in most browsers, users were unlikely to know if the extended validation site was confirmed or not (in January 2019, Chrome removed the green icons in the browser). As a result, scammers (including those involved in phishing) were able to use TLS to increase the credibility of their websites. Users of subsequent browsers can always verify the identity of the owners of the certificates by examining the information on the issued certificate that is indicated there (including the name of the organization and its address).

EV certificates are checked to verify compliance with both basic and advanced requirements. Manual verification of domain names requested by the applicant, verification by official government sources, verification by independent information sources and phone calls to the company are required. If the certificate has been issued, the company serial number registered by the certification authority, as well as the physical address, are stored in it.

EV certificates are designed to increase user confidence that the website operator is a truly existing organization. However, there is still concern that the same lack of accountability that led to the loss of public confidence in DV certificates leads to the loss of value of EV certificates.

Delivery criteria

Only certification authorities that have passed a qualified independent audit can offer EV certificates, and all centers must follow the release requirements, which are targeted:

  • Establish the existence of a legal person and the owner of the site;
  • establish the fact that a legal person owns this domain;
  • Confirm the identity of the site owner and the authority of the people acting on behalf of the site owner.

With the exception of EV certificates for .onion domains, a wildcard certificate with Extended Validation cannot be obtained – all fully qualified domain names must instead be included in the certificate and verified by a certification authority.

User interface

EV-enabled browsers show the availability of the certificate – usually a combination of the organization name and the location of the organization. Microsoft Internet Explorer, Mozilla Firefox, Safari, Opera and Google Chrome browsers support EV.

The extended verification rules require participating certification authorities to assign a specific EV identifier after the certification authority has completed an independent audit and other criteria have been met. Browsers remember this identifier, match the EV identifier in the certificate with that of the browser for the certification authority in question: if they match, the certificate is recognized as valid. In many browsers, an EV certificate is reported by:

  • The name of the company or organization to which the certificate belongs.
  • A distinctive color, usually green, displayed in the address bar, indicating that the certificate has been received as HTTPS.
  • The “lock” symbol is also present in the address bar. By clicking on the “padlock”, you can get more information on the certificate, including the name of the certification authority that issued the EV certificate.

Update 29.09.2019!

Version 77 of Google Chrome is now released for Windows, Linux, macOS, ChromeOS, IOS and Android users. The new release has removed the UI indicator for Extended Validation (EV) certificates from the browser’s address bar, it is also known as the “Green Address Bar”.