The Shortcut Guide to Extended Validation SSL Certificates

In an excerpt from Dan Sullivan's book, "A Shortcut Guide to Extended Validation SSL Certificates," the author explains some of the limitations of SSL.

The following is an excerpt from the eBook, The Shortcut Guide to Extended Validation SSL Certificates. In this section of Chapter 2: Overview of SSL and EV-SSL Certificates (.pdf), author Dan Sullivan explains the weaknesses in how certificates are issued.

Limitations of SSL: Lack of Standards

Lack of Authentication Standards
The SSL protocol depends on the existence of a trusted third party. It is assumed that parties that want to communicate over a secure channel can agree on an organization that will vouch for the identity of holders of SSL certificates. The protocol does not address some key issues related to authenticating a person or organization before issuing a certificate:

  • What constitutes sufficient proof of identity?
  • Are there varying levels of proof?
  • If so, how will certificates represent the varying levels of proof?
  • How can one be sure different CAs follow the same standards for identifying a party?

These issues all move us from the realm of cryptography and network protocols into the often more complex organizational and procedural issues that surround CAs.

Varying Levels of Certification

Sometimes a relatively inexpensive and weak lock is sufficient to meet one's needs, for example, to keep a toddler from getting into a cabinet filled with chemical cleaners. One could invest in a stronger lock, but it would not add any advantages to the existing solution. An entire house, however, is likely to have stronger locks that will better protect its inhabitants and their possessions. The additional cost and effort required to use the better locks is well justified. Finally, a bank, an obvious target for thieves, will use specialized locks and additional security measures to protect its assets.

Domain-Only Certificates
In the case of online transactions, different needs dictate different levels of security and authentication. A Web master running a site for a local basketball league wants to allow coaches to use the site to post practice schedules and other team-related information. The Web master does not want anyone else changing those schedules, so she implements a user login. Being security conscious, she also does not want clear text passwords sent over the Internet, so she uses the SSL protocol to establish a secure channel between clients and her Web server.

This is a relatively low-security environment. There are no financial transactions, no exchange of confidential personal information, and no potential for significant loss of intellectual property. Coaches, if they are concerned at all about submitting their usernames and passwords, would likely want nothing more than to be assured that the transaction is encrypted. In this case, simply having a certificate that verifies the identity of the domain is sufficient.

Domain-only certificates typically validate that the requestor of a certificate is authorized to use that domain. These certificates are inexpensive, largely because the validation process can be automated. Information about the owners of domain names is readily available from utility programs, such as whois. (See Figure 2.8 for example output of whois).

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to for detailed information.

 Domain Name: THAWTE.COM
 Whois Server:
 Referral URL:
 Name Server: NS1.CRSNIC.NET
 Status: clientTransferProhibited
 Updated Date: 01-may-2007
 Creation Date: 10-feb-1996
 Expiration Date: 11-feb-2008

Figure 2.8: Information about domain owners is publicly and programmatically available on the Internet. This easy-to-access information is used for domain-only validations.

Domain-only certificates have lowered the cost of using SSL, which has been a benefit to many. Unfortunately, they have also lowered the cost of starting phishing sites that look legitimate. They have also led some companies to use lower-grade certificates rather than authenticated certificates to protect sensitive data. More extensive authentication procedures should be used for most business-oriented domains.

Full-Company Validation
When CAs use full validation procedures, they look for more rigorous proof of the identity of the person, business, or organization requesting a certificate. They will still go through the same steps as the domain-only validation, but in addition they will do things such as:

  • Verify the existence of a physical address of the person, company, or organization
  • Check government records to verify a business is legally established
  • Require copies of documentation, such as a driver's license for a person or incorporation papers for a company

With full-company validation, one cannot simply register a domain name and acquire a certificate; the requestor must be able to demonstrate the company has some established legal identity. Again, there are varying levels of certification involved depending on the issuing CA.

Problems with Varying Levels of Certification
The biggest problem with varying levels of certification is that these variances are not apparent to users who are expected to trust these certificates. When a browser establishes an SSL session with a server, the same lock icon will appear on the browser whether the server certificate is domain-only or full-company validation. A phishing site can look as legitimate as a real bank's site.

EV SSL Certificates
EV SSL certificates use the same cryptography and network protocols as SSL certificates but they improve the certification process to address the weakness outlined earlier. The standards for EV SSL certificates have been established by a governing body known as the CA/Browser Forum ( Before an EV SSL certificate is issued, the CA conducts a thorough and standardized process to verify the identity of the requestor. The steps include:

  • Verifying the entity physically exists
  • The entity is legally recognized
  • The entity is actively conducting business or other operations
  • The identity of the entity matches the identity on legal records
  • The entity has legitimate use of the domain
  • The individual requesting the certificate is an authorized representative of the company in question

CAs that issue EV SSL certificates are also subject to audits, performed by WebTrust, a professional assurances organization, to demonstrate that proper policies, procedures, and training measures are in place to ensure quality control.

In addition, most high-security browsers such as Microsoft IE7 now provide additional visual cues to users when a site uses EV SSL certificates. This eliminates the problem of how a user is to know the level of verification and authenticate behind a certificate.

Read the rest of Chapter 2: Overview of SSL and EV-SSL Certificates (.pdf).

The SSL protocol is well designed with respect to preventing eavesdropping and avoiding successful man in the middle attacks. It is less concerned with the processes and procedures that a person or organization must go through to acquire a certificate. Rarely in business or government operations is there a situation in which one size fits all. Security requirements are especially variable. Consider a simple analogy with locks on doors. The root of this problem was that there were no well-defined standards for authenticating businesses. Two different CAs may have different procedures for full company certification. One company may check government records to see if a business by a certain name has been established while another will make more rigorous checks to see that the company is actually still actively in business. These variations in current practices, along with the rise of phishing scams, have undermined trust in online commerce and prompted the industry to respond with a new type of SSL certificate that does not suffer from these deficiencies.
This was last published in July 2008

Dig Deeper on VPN security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.