SSL- Certificates create a secure communication tunnel by connecting between one Encrypt data sent by the client and a server or between two servers to prevent cyber criminals from changing data.
There are three standard types of SSL certificates that are issued by certification authorities: DV , OV and EV. Extended Validation (EV) SSL certificates offer the highest security that the domain is NOT one bad actor is assigned. When users see a green address bar or a company address bar next to the URL, they can see that they are in a trusted domain.
The process by which a certification authority (CA) issues an EV SSL certificate is stricter than that of DV or OV certificates. The certification body verifies that the requesting company is a legal entity and the validation requires sufficient disclosure of business information to perform this verification. There is an additional human intervention where the entity is contacted by phone to verify their identity. Processing can take several days, depending on the availability of the applicant during the telephone verification phase.
Before issuing an EV-SSL certificate, the certification body contacts the organization by phone to verify their identity.
Authentication process for EV certificates
EV shows users that the website has the best security measures in place to protect transactions and ensure compliance with standards and regulations.
Before issuing an Extended Validation Certificate, the certification body goes through a seven-step process based on the guidelines set by the CA / Browser Forum.
- EV registration: Checks whether the applicant is actually an employee of the company or organization and that he / she is authorized to continue this certificate purchase.
- Organization Authentication: Checks government registration information to verify that the applicant organization is a legally registered entity and that it is active at the registered location.
- Business existence: Checks whether the organization has been in existence for more than three years. Otherwise, additional documents may be required (to complicate the process for cybercriminals trying to increase shell companies to obtain EV certificates).
- Physical address: Checks whether the organization has a real physical address in its registration country.
- Phone Verification: Checks that the organization’s phone is a working phone number.
- Domain authentication: Checks whether the organization is the legal owner of the registering domain.
- Last review call: CA calls the applicant organization’s contact to review the EV application.
Given the care and disclosure of information associated with this, it is statistically far more likely that cybercriminals will apply for DV or OV certificates than they will undergo the verification process to acquire an EV certificate.
While no Certificate Authority can detect the “intent” of an organization requesting an SSL Certificate, the process described above strives to verify the legitimacy and authenticity of the domain at the time of issuance. EV is one of the best (visible) trust indicators today.