Adam Caudill

Security Leader, Researcher, Developer, Writer, & Photographer

Looking for value in EV Certificates

When you are looking for TLS (SSL) certificates, there are three different types available, and vary widely by price and level of effort required to acquire them. Which one you choose impacts how your certificate is treated by browsers; the question for today is, are EV certificates worth the money? To answer this, we need to understand what the differences are just what you are getting for your money.

The Three Options #

For many, the choice of certificate type has more to do with price than type – and for that matter, not that many people even understand that there are real differences in the types of certificates that a certificate authority (CA) can issue. The key difference between the options is how the requester is verified by the CA prior to issuing the certificate. Here is a brief overview of the options available.

DV (Domain Validation) #

Domain Validation is the most common type in use today; for these certificates the CA verifies that the person requesting the certificate has control of the domain, and nothing else. This is done with a number of techniques, such as telling the requester to place a random value in a certain file on the web server. These are also the least expensive, often available for less than the cost of a fast-food meal, or even free from CAs like Let’s Encrypt.

DV certificates are issued with little to no human interaction from the CA, and can often be automated from the requester’s side as well. Protocols such as ACME allow a fully automated request & issuance process, allowing you to easily request and update certificates – the process can be scheduled and handled without a human involved at all.

In the past, HTTPS was viewed as a sign of website trustworthiness; getting a valid HTTPS certificate was too difficult for typical phishing websites. Dhamija et al. challenged 22 people to identify phishing websites, and 17 of them failed to check the connection security indicator during the study. This demonstrated that connection security indicators were ineffective at preventing phishing attacks. Subsequently, HTTPS has ceased to be a useful signal for identifying phishing websites because it is no longer unusual to find malicious websites that support HTTPS.

Source: Rethinking Connection Security Indicators, Felt et al.

The purpose of DV certificates is to enable encrypted connections, it doesn’t validate who is running the domain, or if they are honest, or even if what they do with the domain is legal – the sole purpose is to enable secure connections between the browser and the web server.

OV (Organizational Validation) #

An Organizational Validation (also known as High Assurance) certificate is quite a bit more expensive at roughly $200 (though may be as much as $500) per year, and is more complex to request due to additional paperwork involved. The increase in price compared to DV is largely due to the extra work required as part of the verification process; in addition to validating control of the domain, the CA will also verify documents that prove the requester is a legally formed entity (via licenses or incorporation documents).

EV (Extended Validation) #

Finally, we have EV, the most expensive at roughly $300 (though may be as much as $1,000) per year, EV certificates require the most detailed verification process, and extend upon the requirements of OV certificates. Documents such as proof of having a bank account, proof of address, more detailed requirements on proof of incorporation, proof that the person requesting the certificate is an employee and properly authorized to request the certificate may be required.

Acquiring an EV certificate is a complex process, which may require not only time and effort from technical employees, but also effort on the part of company executives to produce all of the required documentation.

Of drama and marketing #

Thanks to the widely varying price, CAs have an interest in directing customers to more expensive options – OV and EV certificates generate far more profit than DV certificates. Thanks to a few CAs offering free DV certificates, and the introduction of Let’s Encrypt which operates at a massive scale (its market share has gone from 5% to 26% in the last year) – this has led to a race to the bottom on pricing for these certificates, killing the profit in them. This has led to increased attacks by CAs against DV offerings, in an effort to boost OV and EV offerings. The focus of these attacks is primarily around the use of DV certificates in phishing attacks (much has been written about why this isn’t really a problem, so I won’t repeat that fight here.).

The value of OV is questionable at best, and for how it’s used today, it really isn’t any better than DV despite the marketing hype. Much to the chagrin of CAs, OV certificates are given the same treatment that DV certificates receive in browsers – there’s no visible difference between them, so users are completely unaware that you’ve spent the extra money on the OV certificate. CAs have pushed browsers to change this, so that these certificates have additional value to justify the expense, though have had no success in doing so.

EV certificates on the other hand do receive special treatment by browsers:

The green bar with the name and location of the organization (in some browsers) is an exclusive feature of EV certificates, and provide users a way to know who the certificate was issued to. It is this special bar that sets EV apart from the other certificate types, and drives the marketing that makes them sell.

Security: DV vs. OV vs. EV #

With a substantial difference in price and marketing, do OV and EV certificates provide better security? No.

No matter how you look at it, no matter how it’s marketed, the fact is that all three certificate types provide the exact same level of security. The only real difference between them is that OV and EV certificates contain an extra identifier that tells the browser which type of certificate it is. The encryption is the same, there’s no change in the security of the connection between the browser and server.

Perhaps the best explanation of why EV certificates don’t actually add any security at a technical level is this 2008 paper, if you haven’t read it, you should.

EV Certificates & Pinning #

There is one mechanism available where an EV certificate can increase security1, though not without risk. For CAs that issue their EV certificates from a dedicated intermediate, which isn’t uncommon, sites can use Public Key Pinning (HPKP) to pin the CAs dedicated EV intermediate, ensuring that only EV certificates can be used – and preventing a DV certificate, even from the same CA from being accepted. While the death of HPKP has been predicted, it is quite usable, when great care is taken. HPKP allows a site to pin the key used in specific certificates, so once a browser has seen the direction to only trust certain keys, it will reject any that it sees that don’t match. It’s a very powerful tool, though one I rarely recommend because like many things that offer such power, it is easy to get wrong, and can take a site down for an extended period of time with little ability to recover.

This provides a means to ensure that only certificates issued by a specific, selected, EV intermediate can be used – if an attacker tries to impersonate a site (say, via DNS hijacking), this pin will prevent the browser from accepting just any certificate.

The Identity Argument #

The key selling point for OV and EV certificates – both for marketing to customers and the politics of the industry – is that issuance of these certificates involve identity verification. The argument put forward is that you can trust sites that use these certificates more because someone at a CA verified that they are who they claim to be.

This argument relies on one key point: that users know the difference.

The problem with this is, users generally don’t know what that green bar is, or what it means. If it disappeared, would they even notice? Thanks to the special treatment by the browsers, EV certificates do provide the opportunity for users to see that EV certificates are different, but to provide any protection against phishing or similar attacks, users must be aware of its presence, and notice when it isn’t present.

This is the key question, if users are aware, it adds value against phishing attacks, if they aren’t, it doesn’t.

“EV is an anti-phishing defense, although its use is limited by lack of support from popular websites and some major mobile browsers. All major desktop browsers display EV information, but some mobile browsers (including Chrome and Opera for Android) do not display EV information. Older literature suggests that EV indicators may need improvement. Jackson et al. asked study participants to identify phishing attacks and found that “extended validation did not help users defend against either attack”. When testing new security indicators, Sobey et al. concluded that Firefox 3’s EV indicators did not influence decision making for online purchases.”

Source: Rethinking Connection Security Indicators, Felt et al.

Some fraction of users will understand this, and be aware of changes – for this group of users, it adds value because it’s another piece of information that allows them to evaluate how much they trust the site. Though research indicates that few understand the difference, and thus the impact is minimal.

At this point it should be clear, the value proposition for EV certificates isn’t in technical security, it’s a potential boost to user awareness – the opportunity it gives users to make a more informed decision before they provide sensitive information is an edge over OV and DV certificates.

Overall #

I was debating this topic with coworkers recently – the value of EV certificates is limited, it does help inform some users but the percentage is low, it can be used with HPKP to make it harder for an attacker to hijack DNS and perform a successful man-in-the-middle or redirection attack, but that comes with the inherent issues of HPKP and its ability to easily take a site down completely.

With this limited value, it’s difficult to determine if it’s worth the expense – if you are protecting a highly sensitive system, preventing even a single phishing attack could justify the expense, for other systems, it may in fact be a waste of money. As such, it is up to site operators to determine if the small impact that it provides justifies the expense and work required.

  • Even this comes with its own set of limitations, there is still the issue of third-party content, such as JavaScript, which provides another route of attack that isn't mitigated by this technique. When using content from a third-party, you accept their weaknesses and the risk that it adds to your own systems. If you are relying on EV + HPKP, but are using a JavaScript library from a CDN that uses a DV certificate, that still provides an attack vector that bypasses the value of EV+HPKP. This is the reason that Jackson & Barth suggested a httpev:// URL scheme to provide isolation from https:// URLs, ensuring that only resources with EV certificates are loaded. 
  • Adam Caudill

    Related Posts

    • TLS: 64bit-ish Serial Numbers & Mass Revocation

      During a recent discussion about the DarkMatter CA on a Mozilla mailing list, it was found that their 64-bit serial numbers weren’t actually 64 bits, and it opened a can of worms. It turns out that the serial number was effectively 63 bits, which is a violation of the CA/B Forum Baseline Requirements that state it must contain 64 bits of output from a secure random number generator (CSPRNG). As a result of this finding, 2,000,000 certificates or more may need to be replaced by Google, Apple, GoDaddy and various others.

    • TLS Certificates from the Top Million Sites

      Thanks to the recent WoSign / StartCom issues with misused or flawed certificates, there was a question about how many of the certificates issued were actually active – so this seemed to be a good time to run a scan against the Alexa top 1 million sites to see what I could find. Scan information: The scan was ran with an 8 second timeout – so any server that couldn’t complete a handshake within 8 seconds isn’t counted.

    • Testing for SWEET32 with YAWAST

      Testing for SWEET32 isn’t simple – when the vulnerability was announced, some argued that the best solution was to assume that if a TLS server supported any of the 3DES cipher suites, consider it vulnerable. The problem is, it’s not that simple. On my employer’s corporate blog, I wrote about practical advice for dealing with SWEET32 – and pointed out that there are ways around the vulnerability, and some are quite simple.

    • Security By Buzzword – Why I don’t support Ensafer

      Update: I had a call with Ensafer’s CTO, Trygve Hardersen to discuss the issues I brought up, and what they can do about it. First, they updated the site so that downloads are now over HTTPS. He stated that the infrastructure that powers their service is separate from the website, and everything is over HTTPS. They are working on making documentation available, and hope to have the first documents available soon.

    • Developers, Developers, Developers

      Note: This was written in 2012, but not published at the time. The point is still valid, perhaps moreso than ever and deserves to be made publicly. The content has been updated as appropriate, though the core of this article remains intact from the 2012 draft. I would like to note that this doesn’t apply to every environment, there are some where developers are very knowledgeable about security, and write code with minimal issues – my current employer happens to be one of those rare & exciting places.