EXTENDING VALIDATION IN E-COMMERCE

How SSL certification can build trust and secure e-commerce transactions online and via mobile devices

by Thawte

Many consumers do not trust web site safety enough to complete an e-commerce transaction. The frequency of malicious web schemes such as phishing and pharming creates an environment of fear and reticence. Gartner recently reported that 41.2% of online adults in the U.S definitely received Phishing emails, 46% changed their purchasing and online behavior as a direct result of security concerns, and 10% reduced their online spending by at least 50%. As a result nearly $2 Billion in e-commerce sales were lost due to user concern over security.

Online commerce may still be growing but there are a significant number of people opting out or reducing their spending due to security concerns. If you are a web business that depends on consumers trusting you enough to share their financial, personal or other sensitive data this is an alarming trend. Identity authentication now takes center stage in the fight to shore up consumer confidence in e-commerce.

To combat this problem, leading web browser developers and SSL Certification Authorities (CAs), including Thawte, joined forces to create a new standard for web site identity authentication. After more than a year of effort, the CA/Browser Forum introduced the new Extended Validation (EV) SSL certificate. This new standard is the most significant advancement for the World Wide Web’s secure backbone since SSL certificates were first introduced over a decade ago.

Extended Validation SSL certificates offer web sites a better method for assuring their visitors of their legitimate identity. Browser support for the enhanced features of Extended Validation SSL certificates began with Microsoft® Windows Internet Explorer 7 in early 2007 and other browsers, such as Firefox and Opera, have announced their intentions to follow.

Traditional SSL 

SSL certificates were created to validate the genuineness of a web site because it is so easy to counterfeit a business on the web. In 1995, when they were invented, a standard SSL certificate provided adequate protection for consumers. Times have changed; web scams became more sophisticated and these traditional certificates may no longer be adequate. A member of the general public can easily forget to look for the small lock icon in the browser window and they will not necessarily recognize a fraudulent use of an SSL certificate. Sophisticated web scammers easily fool some less stringent CA identity authentication practices and some web fraud sites simply use self-signed SSL certificates that provide no identity authentication at all. The general public often cannot recognize when they are presented with one of these questionable certificates. This is one reason why spoofing schemes such as phishing and pharming have become so prevalent and successful.

EV SSL Standard 

The Extended Validation SSL standard helps solve both the problem of low SSL protection visibility and low assurance of a site’s genuine identity. The CA/Browser Forum, comprised of over twenty browser manufacturers, CAs, and WebTrust auditors along with the American Bar Association Information Security Committee (ABA-ISC), worked for more than a year to create the first inception of the EV authentication process. The CA/Browser Forum continues to develop the EV standard and guidelines in order to improve Internet security and combat online fraud. The EV guidelines describe a set of standardized best practices that must be followed in order for an SSL certificate to meet the requirements for Extended Validation status.

Any CA who wants to issue EV SSL certificates must first pass an independent WebTrust audit confirming their use of the EV identity authentication standard practices. The rigorous EV authentication process described in these guidelines relies on business verification practices proven to be effective for authenticating millions of SSL certificates.

An EV SSL certificate functions the same as a traditional SSL certificate for older browsers that do not recognize EV, such as Internet Explorer 6, Firefox 2.0, and earlier versions of both. For new high-security browsers, such as Internet Explorer 7 (IE7), EV offers significantly more benefits than a traditional SSL certificate. To the end user, these newer browsers display an EV SSL authenticated session in a far more visible and informative way than the small lock icon at the bottom of the page shown for many traditional SSL sessions.

Immediately identifiable 

EV contains a number of user interface enhancements aimed at making the identification of an authenticated site immediately noticeable to the end user. IE7 is the first browser to deliver these benefits: by default with Windows Vista and with an easily prompted update for Windows XP.

The most obvious interface enhancement is the green address bar effect; when an EV-enabled client visits an EV authenticated site the address bar turns a highly visible green color. This conspicuous color change immediately notifies the end user that this web site passed a rigorous authentication process. Green is also a highly effectual color – to most people green means go, it is safe to move forward.

In addition to the green address bar effect, a security status bar appears to the right of the address bar. This field, also green, displays the name of the organization responsible for the web site and toggles to identify the CA that authenticated the web site. The EV SSL certificate provides the source for the names in these fields, confirming that the CA has verified this information. Therefore the end user can depend on it being accurate. This interface convention makes it easier for customers to notice the name of the CA. This new higher visibility to customers should motivate web sites to obtain their certificates from only the most reputable CAs. If a customer is not familiar with the CA, they most likely won’t trust the web site being certified.

These interface enhancements, difficult to counterfeit by phishers and pharmers, create a new level of protection for web site visitors. If a spoof site buys a traditional SSL certificate it would not display the highly trusted green address bar and even if they bought an EV SSL certificate to gain the green address bar, it still would not be able to display the name of the organization they were attempting to spoof in the security status bar.

Real time validity 

Either the Online Certificate Status Protocol (OCSP) function or Phishing Filter within IE7 must be enabled for a client to see the powerful EV interface enhancements. The OCSP allows a browser to perform a real-time validity verification of an SSL certificate. This real time check, part of the high level identity authentication aspect of EV, makes sure this certificate has not been revoked. Newer browsers typically support OCSP but this feature may be manually disabled.

The Phishing Filter in IE7 adds functionality in addition to enabling the EV green address bar and security status bar interface. With the Phishing Filter enabled, an end user’s address bar turns yellow or red when the user visits sites that IE7 identifies as suspicious. IE7 recommends the user activate the Phishing Filter during installation and the Phishing Filter automatically enables OCSP.

IE7 installation page with the Phishing Filter option. Microsoft recommends users enable the Phishing Filter which allows for the enhanced EV interface to display the green address bar and security status bar. Windows Vista systems automatically enable both the OCSP and Phishing Filter functions; for these features to be turned off, the end user must manually disable them.

Trust infrastructures

Building a system to help end users make better decisions about who to trust on the web required the CA/Browser forum to modify almost every component of the trust infrastructure for the web. The EV standard encompasses far more than just a new user interface, although the new user interface will symbolize to end users the significance of the rest of the work performed. EV SSL certificates base their strength on specific identity authentication process requirements and real-time certificate validity verification.

The CA/Browser Forum spent more than a year developing identity authentication guidelines for EV that would be reasonable to follow and would help produce reliable results. EV guidelines require all identity information from certificate requestors be supplied by authenticated third parties or come directly from primary sources. The requesting organization cannot verify its own identity. This requirement makes sure the identity information being authenticated is correct. The authority of the person requesting the EV certificate is also verified. Additionally, all CAs issuing EV SSL certificates must pass an annual WebTrust audit confirming that they are diligently following all the EV authentication guidelines.

Thawte requires a signed acknowledgement of agreement from the organizational contact listed on an order for an EV SSL certificate. A company registration document is also required if Thawte is unable to confirm the organization details through a government database. A legal opinion letter may also be requested to confirm the following details about the requesting organization if Thawte is unable to verify this information elsewhere:

  1. Physical address of place of operation
  2. Telephone number
  3. Confirmation of exclusive right to use the domain
  4. Additional confirmation of the organizations existence(if less than 3 years old)
  5. Organizational contact’s employment status and authorization to purchase EV SSL on behalf of the organization.

Integrity

Security measures in every EV certificate helps ensure the integrity of the certificate. A secure hash embedded in every certificate helps protect against hacking. If the content of an EV certificate is altered, this hash assures that the certificate will be disabled. The validity of every EV certificate is checked in real-time through both the OCSP infrastructure and the Microsoft Root Store. The OCSP makes a real-time inquiry to see if a certificate has been revoked for any reason. In addition to the OCSP inquiry, IE7 browsers check with the Microsoft Root Store in real-time to verify that the EV certificate matches an SSL root approved for EV. This check verifies that the CA issuing the certificate is authorized to issue EV certificates and has not had their status revoked or suspended for any reason.