Extended Validation EV SSL Certificates – Should Your Website Have One?
Extended Validation (EV) SSL certificates are the latest secure certificates that offer the highest level of “outward” security to the end user. Introduced in 2007, these new SSL certificates cause the address bar to turn green in a visitor’s web browser, and also to display the company name. Here are two examples of this in Firefox and Internet Explorer:
Firefox:
EV SSL example in Firefox (click image to enlarge)
Internet Explorer:
EV SSL in Internet Explorer (click image to enlarge)
EV certs have a more thorough application process, as each business is “vetted” prior to being issued an EV certificate. This means that organizations that have an EV SSL certificate are much more likely to be legitimate entities, as opposed to standard SSL certificates, that may be obtained by anyone without any verification.
Is it worth it to have an EV SSL certificate? I believe the answer is YES!
EV Usage for the Top 100 Retail Websites
I took a detailed look at Internet Retailer’s 2009 Top 100 Retail Websites, as I felt this was a good cross-section of large and medium sized ecommerce merchants. I recorded which sites had an EV cert., what SSL vendor they were using, and I looked for any warnings or errors on their secure pages.
* 20% of the Top 100 retailers are currently using an EV SSL certificate.
* 17% of the Top 100 retailers had an insecure call / warning on either their secure sign-in or secure checkout pages. This resulted in either a browser warning or missing padlock in the browser.
And here is the breakdown of the SSL vendors in use by the Top 100 retailers:
SSL Vendor Breakdown for Top 100 Retailers
Interpreting the data
What can we learn from the above statistics? In terms of EV SSL adoption, 20% of the top retailers are now using an EV SSL certificate. Although this may seem like a low number, other studies in 2007 and 2008 found around 2% adoption in 2007, and around 12% adoption in 2008 for major retailers. There is a slow progression towards more retailers using EV.
However, there are a number of reasons why larger retailers may not have an EV cert.:
- If you’re Amazon, people already trust you
Large retailers may not feel the need to add an extra layer of security, since they are a well known brand. If the padlock appears and no warnings pop up, people will purchase.
- IT managers just renew what they have currently
Many IT departments simply make sure their SSL certificate does not expire. They renew it early, and keep it the same to keep it simple for them. The thought of obtaining a new type of SSL certificate may not cross their mind, or seem too daunting.
- Too many hoops to jump through
In larger organizations, there are established procedures for the handling of existing SSL certificates. In order to get an EV certificate, the IT department has to get access to incorporation documents, DUNS numbers, etc… and probably needs to submit a proposal up the chain for approving this change. It may just be too much work for little return in their eyes (which I feel is a mistake).
- They don’t see the need
Consumers have not yet fully caught on to how EV certificates work, and not all older browsers support EV in terms of green bars and company names being displayed. These larger retailers may not see a large enough benefit to change their ways (again a mistake in my opinion).
Does the SSL vendor matter?
In looking at the top 100 retailers, Verisign was the most popular SSL vendor. This makes sense as they are seen as the leader, and worked hard with large retailers to establish partnerships. Akamai was the second most popular, which also makes sense as larger retailers often partner with Akamai as their content delivery network provider. Geotrust was next, and has a good reputation for business websites.
Technically speaking, all the major vendors offer the same level of security in terms of the certificate itself. All of the more recent web browsers fully support the major SSL vendors, so they all work the same. Brand name recognition does come into play if the website displays a security seal, as many consumers recognize names such as Verisign or Geotrust. And some seals are more visually appealing and look more professional (The GoDaddy seal is not a professional look in my opinion).
Does it matter? Yes. Industry leaders such as Verisign and Geotrust (which is actually owned by Verisign) have more brand name recognition, and can help with conversion rates for those shoppers on the fence when it comes to trusting a website before completing a purchase (assuming you prominently display the security seal). Additionally, Verisign and Geotrust are fully supported by older web browsers, which may still account for up to 5 to 10 percent of your visitors.
What about the errors?
When I found that 17% of the top 100 retailers had some sort of insecure call or security warning on their secure pages, I was quite shocked. I figured these large organizations would eliminate these sorts of problems on their websites. These are the types of errors that can cause buyers to not complete a purchase due to security concerns. People know that the secure padlock/key needs to be present to ensure a safe transaction.
Although a large well known company such as Walmart can survive a few lost sales, smaller merchants cannot afford to drive away sales with security warnings and missing padlocks. Here is where a small business can outperform a large online store: Make sure your secure pages are 100% secure so your customers feel safe shopping on your website.
To EV or not to EV, that is the question…
The skeptic might say:
80% of the top retailers do not use EV certs. EV certs costs more and it’s more difficult to get approved for one. Many consumers still do not understand the difference between a green address bar and the secure padlock.
All of the above is true. However, that does not mean you should skip an EV certificate. And here’s why:
- Don’t follow the herd
Just because 80% of the top 100 are not using an EV SSL certificate does not mean it’s the right choice for your business. Their reasons for not having one (laziness, too much red tape, do not understand the technology, etc…) are most likely not the same as yours (e.g. the cost and time to get an EV cert. do not matter to them) , and are not in line with your goals. See this as an opportunity to offer more recognizable security to your customers. It can be a competitive advantage.
- The green bar is continuing to become more recognized
As more consumers use Windows 7, IE 8, and Firefox, the green bar becomes more widely adopted. EV features are built into Internet Explorer 8 and Firefox, so more people are being exposed to this new technology. People are starting to notice the green bar and company name, and will equate that with a secure website.
- EV certificates are harder to obtain
This is a good thing. A less than reputable site or scam website can easily get a regular SSL certificate. However, they would be hard pressed to pass the background checks for an EV certificate. If your website has an EV certificate, it shows your business to be on the “up and up” and you have something not everyone can purchase. It gives you a competitive advantage over those websites that do not have one.
The bottom line on EV
For a few more dollars and a little more paperwork, your website can offer the most secure certificate available today. If only a few shoppers recognize the added security and it helps them complete a purchase at your store, it will be worth it. And that is the worst case scenario. The more likely scenario is more consumers are aware of (and actively look for) the green bar to signal a truly secure connection, and put more trust in those websites that use EV SSL certificates in their store.
… Our website uses an EV SSL certificate, so I believe in what I’m saying as well. 
Do you have an EV certificate? Share your thoughts on why or why not in the comments below.
Related posts:
Great work conveying the business value of Extended Validation(EV) SSL!
If your article wasn’t compelling enough (which I think it was), here are some EV SSL case studies from VeriSign with measured ROI – http://bit.ly/EnDBC
Thanks for spreading the word!
Thanks Allen for the kind words and the case studies link. It always helps to have numbers back it up.
A few people have asked me for the EV breakdown from the Top 100 retailers of 2009. Here are the companies using an EV Certificate from that list:
Bluefly
BlueNile
Buy.com
CableOrganizer.com
CVS
Delight.com
eBags
Expressionery.com
FragranceNet.com
Gander Mountain
iGourmet.com
iTunes
MusicNotes.com
Novica
Orvis
Overstock.com
Popcuts
Scentiments
Zazzle.com
The problem with the EV product as you point out is that it doesn’t deal in any way with the customer’s needs, it is almost entirely a marketing product.
In order to change it from a bright green blouse with frills to something approximating mil-green body armour, it would be useful to extend the contract reach somewhat. Think about insisting that where an EV cert is used, no downgrade is possible.
Very valid points you raise (here and in your blog post). EV is definitely heavier on the marketing side at this point in time. If consumers think the green bar means a webpage is safe and secure, then merchants have to consider using this “technology” to keep from scaring away potential customers.
I think over time the standard will evolve, there will be more concrete requirements browser wise, and it will be a safer way to conduct business online.
What you wholy fail to mention is that ‘EV’ certificates shouldn’t be necessary. They are only necessary because of a breakdown in the process: i.e. almost anyone can get an SSL certificate for any domain name they want, they just have to offer the issuer enough money.
Oh, also, it’s not ‘just a few more dollars.’ You can get a perfectly valid (and secure) SSL certificate for ~$100, but you’ll pay more than $1000, not counting internal costs, for an EV certificate. You can’t tell me it costs $900 to contact the BBB and state license agency, since they’re already doing the nslookup/whois (I hope) to verify the documents they require.
I agree that EV was born of a failure of regular SSL vendors from performing due diligence when issuing certificates. Regular SSL certs can be purchased with no background checks performed. A simple email approval is all that is needed. Any scammer can obtain a regular SSL cert. without proving they are who they say they are.
EV certificates are more expensive (some are in the $500-$700 range), and the cost is probably driven by marketing and how much businesses are willing to pay.
For EV certs, the checks are quite involved. Once ordered, a check is performed between the domain WHOIS, the information attached to the certificate, and if the business has a DUNS number, this is compared. Any discrepancy between these records will require faxed documentation from a third party (lawyer, accountant), follow up phone calls, etc… A phone call is also conducted in all purchases (at least for the major vendors).
If you searched for “Ugg boots” in December, it was estimated that 20-30% of the top Google links were to fake sites that were collecting credit card information and false charges. These sites all had standard SSL certificates, looked legitimate, and the padlock appeared. EV is a way for a company to show they are verified to be a legitimate business.
Sure, scammers can still game the system and get past all the checks, but it’s much more difficult.
Combine the more rigorous checks with marketing that has more consumers believing the green bar and listed company name to be a sign of true security, and this drives the price up for these certificates. Is it worth it? In my opinion, yes, for any business that wants to portray the most secure website they can to potential buyers.