We already have mentioned how Extended Validation (EV) SSL is an important and effective component in the online business’s fight against phishing. However, these certificates are only significant if they are used by websites.
So it’s worth taking a look at why websites use EV SSL certificates. It is common knowledge that these certificates are more expensive than in terms of budget and implementation time as Domain Validation (DV) certificates.So if an IT team has no good reason to choose EV, we should expect them to save some money and time. Although the cost and inconvenience of electric vehicles are negligible compared to other parts of the security stack, employees are fundamentally efficiency and budget oriented. If there is no reason to do anything else, choose the cheapest and easiest solution.
Advantages of EV SSL
When we talk about benefits, it’s important to remember that authentication does not apply to the entity being authenticated. Read that again and think about it for a moment: Authentication does not apply to the entity being authenticated. Rather, it is for everyone else. Let’s take an ID card as an example, like a driving licence or a passport. When you go to the airport, you need to carry an official ID with you. This is not because you have doubts about your own identity. Rather, you are carrying your passport because the TSA and customs officials at the airport require it. Your passport is not for you; it’s for them. Why do you carry your passport when travelling? Because they won’t let you on the plane otherwise. In other words, there’s a motivation built into the system for authenticating people. If we want to fly, we have to be authenticated. Our motivation is not to trust our own identity. We all know who we are. Rather, our motivation is to be allowed on the aircraft. The same applies to authenticating online sites and services. IT professionals are not going to spend their time and effort labelling themselves as real because they already know that. To invest in authentication, they need a motivator. Let’s explore some of the possible motivators.
EV is safer
One possible motivation is simply to offer a safer experience. With EV SSLyour Website visitors get more information to distinguish real from fake websites, which undermines the success of social engineering attacks. In an ideal world that would be all motivation, every EV would have to use SSL. For this reason, many companies use EV. Sometimes it’s just because they believe that protecting website visitors is good customer service, and that’s reason enough. Sometimes it’s because they themselves are potential victims of spear phishing attacks that target their own employees, suppliers, suppliers, or other ecosystem partners. Sometimes it is because they are trying to minimize the cost of taking over the account or other service issues due to attacks. Online financial services, ranging from payments to banks to credit cards and securities transactions, are damn well suited for the use of EV SSL. This is because they may be on guard to heal customers if they fall victim to this type of attack. Therefore, these online financial services are directly motivated by the income statement to minimize this problem class. Unfortunately, it is not an ideal world. Many online companies do not seem to have resolved the question of how protecting customers from criminals is worthwhile. Retailers, social media sites, and many other online businesses are not experiencing an acute impact of phishing victimization on a customer. Stolen credit card information is used for all sorts of purposes and may never be returned to the merchant who originally approved the theft. And while the customer is bothered by credit card theft, it is very unlikely that this retailer will ever be to blame. The same is true for many other websites where the primary phishing activity is to steal credentials, not to take over that particular account, but to check other more valuable websites (especially in the financial sector) for similar name / password combinations. If on a sloppy website your credentials are stolen by a phisher who uses this information to gain access to your bank account, the website will never be directly affected by the sloppiness. While EV’s security benefits are motivating in their own right, many important phishing targets do not directly benefit from the enhanced security that EV offers. And that creates a gigantic prisoner dilemma on the web. While we would all be better off if all sites used EV, many single sites that skip EV save money and inconvenience without real disadvantages. That is why many do it and we all suffer from it. To achieve broad acceptance of electric vehicles, we therefore need more motivators than just safety.
EV helps with compliance
Another potential motivator for a subset of websites is compliance. Many major compliance standards such as PCI-DSS and HIPAA / HITECH require that websites take measures to protect their customers from the loss of sensitive information such as credit card numbers, PII, PHI and the like. Because EV provides stronger protection against this type of theft than an OV or DV certificate, many security and governance departments are finding that EV is the best way to ensure successful auditability of these standards. It happens that the overlap between organisations that are strongly motivated by compliance and organisations that are strongly motivated by security for its own sake is very large. Financial use cases fall firmly into these two camps, so we don’t add many websites this way. The main takeaway here is that healthcare and pharmaceutical companies have strict HIPAA / HITECH compliance requirements and are better than average users of EV SSL. Again, the footprint of websites motivated to present their authenticated data is far from ubiquitous. Many websites need an additional motivator.
EV increases site transactions and use
The business is extremely pragmatic. Every company site exists with a specific end goal. If the business is an online retailer or SaaS company, the goal is obvious. They are here to sell or deliver goods and services. But every business location has a destination. Otherwise, the company wouldn’t invest the money, employee time and focus to create and maintain it. These goals can be:
- Selling goods or services
- Provision of online services
- Improved customer service (e.g. activating online checking of your phone or credit card statement)
- Increased service efficiency (e.g. activating online self-service instead of speaking to a human representative in a telephone bank)
- New service registrations
- Lead generation
- Consumption of advertising material
- Download assets or applications
- ‘Stickiness’ for a service, a product or a relationship
- Market formation for products and brands
For each of these goals, we can calculate the economic value. For example, if you enable superior customer service, you increase customer satisfaction and Net Promoter Scores. This in turn leads to improvements in renewals, increased wallet share and word of mouth. Greater service efficiency allows you to provide the same level of service to the same number of customers at a lower cost. By improving lead generation, the cost per lead can be reduced and sales increased. Increased use of ad-based websites means more ad units can be sold. And so on. In each case, improving performance against this goal is directly beneficial to the organisation. And the security indicator of the green address bar, including the company name in green, must do just that in any case. Improving user confidence will increase website usage and propensity to engage in transactions, which in turn drives all of the above objectives. While the ROI calculation for each of these use cases is different, because the effort and budget required to obtain EV SSL certificates is trivially small, the expected return on investment (ROI) is enormous. For just a few hundred dollars a year and an extra day or two waiting for a certificate to be issued, any measurable change in online business KPIs is more than justified. In jedem Fall ist eine Verbesserung der Leistung in Bezug auf dieses Ziel für das Unternehmen direkt vorteilhaft. Und der Sicherheitsindikator der grünen Adressleiste, einschließlich des Firmennamens in Grün, muss in jedem Fall genau das tun. Durch die Verbesserung des Nutzervertrauens wird die Nutzung der Website und die Neigung zur Teilnahme an Transaktionen erhöht, was wiederum alle oben genannten Ziele bestimmt. Während die ROI-Berechnung für jeden dieser Anwendungsfälle unterschiedlich ist, weil der Aufwand und das Budget für das Erhalten von EV-SSL-Zertifikaten trivial gering sind, ist der erwartete Return on Investment (ROI) enorm. Für nur ein paar hundert Dollar pro Jahr und ein oder zwei zusätzliche Tage, die auf die Ausstellung eines Zertifikats warten, ist jede messbare Veränderung der Online-Geschäfts-KPIs mehr als gerechtfertigt.
EV improves the online brand presence
A slightly more subtle point in terms of increased website usage is the impression a website leaves on its visitors. By displaying a visible security indicator, a company is signalling several important facts to its site visitors. These facts include:
- This company invests in first-class security.
- This business takes care of the wellbeing of customers.
- This business is operational.
- Business with this company is pleasant and carefree.
Signalling these messages during an online experience has a halo effect on the overall perception of the brand. Given the very large investment many organisations make in creating these brand impressions, EV is again an extremely simple and cost-effective way to contribute to these efforts.
These advantages depend on the conventions of the browser interface
These advantages depend on the conventions of the browser interface
- To combat phishing, an EV certificate must visually distinguish real websites from fake ones.
- In order to contribute to the compliance requirements, EV certificates must be recognizable as such so that they can combat phishing.
- To increase transactions and use of the website, EV certificates must be visible to users in a way that conforms to the conventions of a safer experience.
- In order to contribute to a positive brand impression, EV certificates have to give the users a positive signal.
Browser manufacturers have the ability to increase the effectiveness of EV by ensuring that the difference between EV and non-EV certificates is clear and that company names and other identity information are easily recognizable to the user. Or browsers can reduce or hide the information about EV certificates and benefit from these advantages. To improve security for users and the Internet as a whole, browser manufacturers must choose the first route and help users protect themselves from online counterfeiting of the sites they trust.