Shark Bait

Knowledge Centers

Operating Systems

Networking & Internet

Mobile & Wireless

Security

Storage

Business Intelligence

Servers & Data Center

Computerworld Reports

Industry

See your link here

Michael R. Farnum

Hitting the Security Nerve

Are extended validation certs worth the extra money?

3 comments

IT TOPICS:Internet, Security

If you have an e-commerce website, is it worth it to buy an extended validation certificate? Well, let's look at this from a couple of angles. On the face of the debate, it is a good idea. Many CA's offer the domain-only certs, and since just about anyone can get one of those, it can prompt security concerns. Because of the extra vetting the website owner must go through to get the EV certificate, it can really go a long way in smoothing those security issues.

However, let's look at it from a real world scenario. A friend of mine is reworking his company's e-commerce website, and he asked me if it was worth it to buy the extended validation certificate from his CA so "it would turn the address bar green in Internet Explorer." I actually laughed at his description because that is really what this whole EV SSL certificate debate comes down to: a green address bar. Green means "go", right? All is well, full steam ahead. If you don't have an EV cert, your consumer is going to see a white one address bar. But users have been trained and trained to look for the lock, and their address bar has always been white. Why all of a sudden are they going to trust a green address bar? I don't care if the bar changes to a rainbow and flowers and shoots money out my DVD drive; if I see a change like that, I get suspicious, not reassured.

Yes, people are trainable. They will get used to seeing the green bar if companies start buying the EV certs. But that does not translate into them being any less trusting of the sites with a white address bar. Now if red pops up and the window pops up that says this site is a bad site or does not have a trusted certificate, then I get that I have to stop. But I just have not seen enough education of users out there about the green bar and what it means to think that the EV SSL cert is worth it right now.

A side note: if you read the Wikipedia article I referenced above, you will see that the EV SSL certs are usually ore expensive, which is leading many small businesses to have concerns that it will give large businesses a competitive edge. I can see the logic there.

Email this

Digg this

What People Are Saying

Add new comment

I find the Tec-Ed study

Submitted by Bill Burns on September 5, 2007 - 4:55 P.M.

I find the Tec-Ed study methodology flawed in at least two ways:
1) Participants had to already be familiar with the lock icon to be part of the study. I don't think that's representative of most Internet users. Based on the success of phishing sites, most of which do not use SSL at all, people don't know when to look for a lock icon. So this wasn't a representative sampling of Internet users.

2) The study taints the participants. At the beginning of the survey, participants are shown an EV and non-EV site, then told all sbout the benefits of EV. Then they are asked if they recognized EV features in IE7 and whether they feel more comfortable with EV. It's human nature to not feel stupid so most people would agree that they saw something (even if they didn't) and would agree that they want to be more safe than less safe.

It would have been more helpful if this was a blind or double-blind study where participants were asked what differences they noticed between site A and site B, or how they felt entering their credit card in each site. Doubly helpful if the tester also didn't know what the EV features were either.

If SiteKey has shown us anything is that users don't recognize when security indicators are missing and don't know when a website is "secure" or not. I don't see the EV-specific features in IE7 really helping the problem.

Bill Burns
Security Hype blog and podcast

Reply | Report this comment

It seems to me that that the

Submitted by Clifford Scarborough on August 25, 2007 - 1:57 A.M.

It seems to me that that the value of an extended validation certificate increase exponentially with the likelihood of an anonymous transaction. Customers dealing with an established vendor care not about extended validation; trust has already been created. Most my ecommerce vendors fit this model.

However, websites selling to strangers are most apt to benefit from said validation. I'm surprised by the level of increased performance supposedly reported by DebtHelp & OverStock.com so soon after the release of browsers sensitive to extended validation certificates. But I expect that green address bars will become increasingly more effective over time.

Clifford Scarborough
Sage Computing
Sonoma, CA USA

Reply | Report this comment

Tim, Part of what I am

Submitted by Michael R. Farnum on August 24, 2007 - 1:54 P.M.

Tim,

Part of what I am saying is that people need to look into the EV cert (just like everything else) before they spend the extra money. If there is definite ROI there, then I say go for it.

In that vein, I wanted my friend to look at it from his business position and determine if it is cost justified. It turns out that his business model is not going to be helped by this, so I did advise against it.

And please don't get me wrong. From a security perspective, the idea of the EV cert is great. I like it when more vetting is behind the cert. I just don't think it is for everyone.

Thanks for your response and the great information. That will help those trying to determine if this is a good idea for them.

Have a good weekend.

Michael R. Farnum

Better to be despised for too anxious apprehensions than ruined by too confident a security.
Edmund Burke (1729 - 1797)

Reply | Report this comment

Spam culture, part 3: Nigeria (and 419 scams)

Obama Drupal-ing around; whitehouse.gov goes open source

Spammer trick of the month: Delayed DNS

Eugene Kaspersky wants no net anonymity

LIVE Nov 10, 2009 12:00 PM ET

Architecting Business Intelligence Applications for Change: The Open Solution

LIVE Nov 12, 2009 02:00 PM ET

Forrester Consulting - Optimizing Users and Applications in a Mobile World
Learn how to successfully deploy a WAN optimization solution that is specifically tuned for a mobile environment!

Top to Bottom Performance Management Excellence at the City of Chicago
View now.

Faster, Cheaper and Easier to Maintain
Can you afford not to upgrade your servers to today's advanced, energy-efficient technologies?

Effectively Implementing Datacenter Automation
Effectively select and deploy the best datacenter automation solution today!

The State of PCI DSS Compliance at Organizations Today
Download this resource today!

Aligning IT to Business: The Rising Importance of Application Delivery Networks
Application Delivery Networking (ADN) will play a vital role in helping enterprises incorporate strategic technologies to achieve business initiatives.

All White Papers | All Webcasts

Computerworld Reports

8 Questions To Ask About Your Intrusion-Security Solution

Computerworld Technology Briefings IT Service Management

Computerworld Briefing - Analytics: The Art and Science of Better

All Computerworld Reports

Receive the latest technology news and information.

	Computerworld Daily News (First Look and Wrap-Up)
	Computerworld Blogs Newsletter
	The Weekly Top 10

View all newsletters

* E-mail Address:

* Industry:

* Job Title:

* Company Size:

* Country:

* State:

I would like to receive offers via e-mail from Computerworld partners.

Michael R. Farnum's Archive

IT Topics

Sponsored Links

Play NetApp's New Data Defense Game.

How Do You Rank as an Innovation Leader? Download Recent Study.

Play NetApp's New Data Defense Game.

Extraordinary times demand Brocade Extraordinary Networks.

No Payments for Up to 6 Months on Orders over $500.

NetScaler VPX : Harness the Power of Virtualized Web App Delivery

64-page prescriptive guide to security, compliance, and IT operations.

Streamline IT Costs. Boost Performance with WAN Optimization

Enterprise Network & Server Monitoring Software. Cross over to Traverse...

Keep your IT expertise up to date. Join the Intel Premier IT Professionals.

Crystal Reports Server: More options. Not more money.

Parallelism is not just for HPC. Create rich apps from desktop to device. Get the eval.

Tolly Performance Report "Citrix NetScaler with nCore Outperforms F5 BIG-IP"

Save up to 61% plus Free Cheesecake

Find IT jobs in the Healthcare industry on Dice.com

With the NEW KODAK i700 Series Scanners get full speed at 300dpi!

Not All QSAs Are Created Equal: What You Should Know Before You Buy

The arrival of Serial Attached SCSI (SAS) marks a new era in storage scalability

The AMD Virtual Experience Virtual Trade Show

New DW Options and Price Points. View Teradata Platform Family Data Sheet.

See how AT&T can help protect your network.

3 Innovations. 3 Free Downloads. Free trials of Windows 7, Windows Server 2008 R2 and Exchange Server 2010.

Take the Netezza TwinFin TestDrive!

Citrix NetScaler with nCore Outperforms F5 BIG-IP - Learn More

New Analytical Platform Options. Download Data Sheet and More.

Get more enterprise mobility value for up to 25% less.

Unified Communications: Thoughts, Strategies and Predictions. Join the discussion.

NYUs M.S. in Management and Systems. Offered Online and On-site.

Increase UPS efficiency without sacrificing protection

Crystal Reports Server: Single server access to reports & dashboards

Create new opportunities. See business making progress now

ESET NOD32 with ThreatSense(R) - Get your free trial now!

Looking to add Unix/Linux functionality to Windows?

Join the conversation about the hottest IT trends with Computerworld on Twitter.

ITwhitepapers.com - Access thousands of white papers on 300+ technical topics.

Leverage Your Cisco infrastructure for Superior Application Performance

Learn about the AMD Virtual Experience

Introducing: Project Icebreaker

About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map

CIO

Computerworld

CSO

DEMO

GamePro

Games.net

IDC

IDG

IDG Connect

IDG Knowledge Hub

IDG TechNetwork

IDG Ventures

IDG.net

InfoWorld

ITwhitepapers

ITworld

JavaWorld

LinuxWorld

Macworld

Network World

PC World

The Industry Standard

Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.

Are extended validation certs worth the extra money?

What People Are Saying

I find the Tec-Ed study

It seems to me that that the

Tim, Part of what I am

Related Posts

Today's Top Stories

Hot Posts

Recent Comments

White Papers & Webcasts

Computerworld Reports

Newsletters

Michael R. Farnum's Archive

IT Topics

Sponsored Links