Why it’s time to shift to extended validation certificates

Phishing attacks designed to lure people into clicking on sites that look like legitimate businesses are nothing new. But this kind of activity has been amped up with so many more people having to use the internet for everyday activities, like ordering groceries online or purchasing products for curbside pickup. Users have been getting more savvy, though, and people do want to know that the companies they are doing business with are legitimate. 

One way for companies to prove their online identity is through the use of TLS/SSL certificates.  For as long as there has been web traffic, security leaders have relied on certs to help prove a business is legitimate, but not all certs are created equal. TLS certificates authenticate the identity of the website and encrypt traffic between the website and the person visiting the site. Websites with valid TLS certificates display a gray/black or hollow lock next to the URL in browser to indicate the web connection is secure.

The standard certificate in the industry for about 30 years has been organization validated (OV) TLS certificates.  With these certificates, the issuing company would validate the domain with some kind of official record, such as Dunn and Bradstreet, to verify the authenticity of the business that is trying to get the certificate. After OV certificates started coming out, some certificate authorities started issuing domain validated (DV) certificates that had a much lighter level of authentication.  With DV certificates, the only check done is to validate from internet records that the company buying the domain does indeed own it.  The benefit of this is that the certificate can be issued very quickly, even automated, and the cost is relatively low or free.  The downside is that anyone can make up a company and purchase a domain name.

A user who wants to check the certificate for validity and clicks on the lock next to the URL, is presented with information that verifies the check has been done and should verify the company is legitimate.  However, with DV certificates, the low threshold to verify means it’s easy for a threat actor to purchase a domain name and make it look legitimate.

The most secure level of certificates is the extended validation (EV) certificate that does all of the authentication checks of DV and OV but also adds higher level of vetting. EV certificates contain detailed information about the company whose website you are visiting, including the full company name, organizational unit (i.e., IT, operations, marketing, etc), locality, state, country and type of organization.

EV is not only important for website identification, it also helps strengthen organizational security. For example, companies that only use EV certificates will find it easier to spot imposters that are using other types of certificates. Companies may also better control who orders certificates for their domains by specifying that the issuing certificate authority verify the individual’s employment and authorization.  And, by specifying EV for at least its primary top-level domains, a company can better protect its brand by demonstrating that the company will not cut corners in protecting users with the strongest web identity assurance available.

DigiCert, one of the issuers of business digital certificates, has recently enhanced EV standards by including Legal Entity Identifiers (LEIs), in the EV vetting process and representing that information in the web browser display of EV certificates. These uniquely identifiable numbers can be added to EV certificates for non-repudiation of the identity of the company the user thinks she is visiting online and enables legal entities to have a single identity across multiple platforms.

“Integrating the LEI into digital certificates will allow anyone to easily relate all records associated with an entity, determine which are current and clear up variances,” says Stephan Wolf, CEO of the Switzerland-based Global Legal Entity Identifier Foundation (GLEIF). “It will also allow business users to easily access information on who owns whom – crucial for those operating to mitigate risk. By becoming the common link between digital certificates, the LEI will provide certainty of identity and trust in any online interaction, making it easier for everyone to participate safely in the global digital marketplace.”

The COVID-19 pandemic has changed the way we work, live and learn and has forced people to rely on the internet for almost everything in their lives. This trend will carry on long after the pandemic.  With website security top of mind, businesses need to look to EV certs to provide the highest level of authenticity to their customers.