SSL Certificates: What Consumers Need to Know
Guest post by Jeff Barto, Trust Strategist, Evangelist & Website Security Advocate for Symantec
In 1994, the first online purchase crossed the World Wide Web: a large pepperoni pizza with mushrooms and extra cheese from Pizza Hut. Over the next 20 years, e-commerce has exploded into a bustling economy, exceeding $1.2 trillion in sales in 2013.
This growth in online purchases rests upon a foundation of trust. People trust that the websites they use to track finances and make online purchases are secure and legitimate largely because of Secure Socket Layer (SSL) certificates- otherwise known as that little green padlock in the URL bar of the browser.
SSL certificates verify that the provider is who they claim to be and also indicate secure connections between personal devices and company websites. Understanding SSL certificates is important to help prevent falling victim to scammers. Because at the end of the day, not all sites, or SSL certificates, are created equal.
Different types of certificates
Website owners purchase SSL certificates through Certification Authorities (CA). There are three different types of SSL certificates, each providing a different level of security. The problem is that, even though all of these certificates provide the safety padlock in the URL bar of a browser, along with the HTTPS (“S” indicating “secure”) in the address bar, the levels of security between types of certificates differ greatly. This is why it is important to understand what kind of SSL certificate a site is using when looking to perform financial transactions or anything involving personal user data.
- Domain validated (DV): This simply verifies who owns the site. It’s a simple process where the CA will send an email to the website’s registered email address in order to verify their identity. No information about the company itself is required. Cybercriminals commonly use DV certificates because they are easy to obtain and can make a website appear more secure than it actually is. For instance, fraudsters may use DV certificates to lure consumers to phishing websites that look authentic, or to cloned websites that look legitimate, but are designed to steal sensitive information.
- Organizationally validated (OV): To receive an OV certificate, a CA must validate certain information, including the organization, physical location and its website’s domain name. This process typically takes a couple of days.
- Extended validation (EV): This certificate has the highest level of security and is the easiest to identify. In order to issue an EV certificate, the CA performs enhanced review of the applicant to increase the level of confidence in the business. The review process includes examination of corporate documents, confirmation of applicant identity and checking information with a third-party database. In addition to adding the padlock in the URL bar of the browser, the “S” part of HTTPS, this adds the company’s name in green in the browser URL bar.
Can you tell the difference?
Clearly, the last URL is an EV certificate. The first is the DV certificate and the second is an OV certificate, which both look identical to each other.
What can people do to stay safe?
Now knowing what a SSL certificate is, the three different types, and that DV-enabled sites pose a risk for scams, how can users reduce the risk of shopping or performing other sensitive transactions online?
- Be aware! Just because a website has the padlock or “https” next to a URL doesn’t make it safe for financial transactions. Users have learned to look for those two things before conducting a transaction, which is exactly why cybercriminals are going through the trouble of obtaining SSL certificates in the first place – to look like a legitimate site.
- Know how to look for the type of SSL certificate a website has. As a first step, look for visual cues indicating security, such as a lock symbol and green color in the address bar. Only EV-enabled websites include the company name in the web address bar. Browsers do not distinguish a DV certificate from an OV certificate, however. To make it easy to tell the difference, Norton has created a free tool. You simply paste a URL directly into the tool and it will tell you if the site is DV-, OV- or EV-enabled, with results clearly highlighting how safe a site is.
- Only conduct transactions and provide sensitive data to sites that have OV or EV certificates. There’s a time and place for DV certificates, but that doesn’t include using them for e-commerce sites. If you drop a URL into the Norton tool and the tool reports that the site has a DV certificate, rethink conducting any type of transaction via that site. If it’s an OV or EV certificate site, you know that the business information has been confirmed.
Let’s face it – online shopping isn’t going away. Until the industry requires an OV or EV certificate for e-commerce sites or an easier way to identify the types of certificates, people will have to bear some of the burden of combatting cyber risks. Knowing the risks ahead of time, consumers are less likely to be duped by phishing websites.