Authored by: Dean Coclin, Senior Director of Business Development at DigiCert
Research shows that as online fraud grows, consumer digital trust in the organisation declines. Whether this is accomplished via a website impersonation attached to a phishing email or a Man-in-the-Middle (MitM) attack, digital trust and enterprise revenue is ultimately the collateral damage that will be sustained by organisations. In fact, cybersecurity emerged as a leading business risk for APAC companies, with cyber incidents and threats listed as the most crucial one.
With consumer-facing sites, gaining this trust is paramount. No matter the size of the enterprise or business, all have to keep in mind users’ trust when choosing a Transport Layer Security (TLS) certificate to encrypt information and secure data being transmitted.
But as security administrators do their research on technical specifications before choosing a certificate, the same question pops up: “If TLS/SSL certificates all do the same thing, what type should we get?” All types of TLS/SSL certificates do fundamentally the same thing: encrypt information during TLS negotiations. Correctly installed and configured, both https and the padlock will show in most browsers. However, beyond the padlock there are varying levels of security and risk.
What type of TLS/SSL certificate should you get to ensure trust?
There are three types of TLS certificates: Domain Validation (DV), Organization Validation (OV) and Extended Validation (EV). Certificate authorities (CAs), like DigiCert, validate each type of certificate to a different level of user trust.
Domain Validation Certificate
Domain Validated certificates are checked against a domain registry to prove ownership of the site domain. However, DV certificates do not offer identifying organisational information. So it is not recommended to use DV certificates for commercial purposes. They may be the cheapest type of certificate to get, but they provide no authentication value in terms of who is behind the website.
Site visitors cannot validate if the business identity is legitimate via the certificate, leaving them more exposed to online fraud. Accordingly, DV certificates should be used only where authentication is not a concern, such as protected internal systems.
Organisation Validation Certificate
To receive an OV certificate, organisations are authenticated by the CA against business registry databases hosted by governments. CAs may require certain documents and contact personnel to ensure that OV certificates contain legitimate business information. This is the standard type of certificate recommended on a commercial or public-facing website.
Extended Validation Certificate
EV certificates add additional validation steps and offer the highest level of authentication to safeguard your brand and protect your users. While not every site on the web uses EV certificates, they are used by the world’s leading organisations to ensure user trust. Over half of the top 400 ecommerce sites use EV, according to 2019 data from Comscore and Netcraft. They have found that switching from OV to EV certificates increases online transactions and improves customer confidence.
But they are not just for ecommerce: EV certificates give your brand the highest level of assurance and validation to ensure users know exactly where — and to whom — encrypted data is being sent. That’s why EV is the global industry standard for encrypting highly sensitive data. EV certificates are used for account area logins, front-facing webpages and other sensitive areas.
Plus, it is extremely difficult to impersonate an EV-enabled site. Websites using EV certificates have virtually zero incidents of identity-spoofing attacks. Often, spoofed TLS certificates are used on a website that is linked in a phishing attack to make the site seem legitimate. A report last week highlighted this risk, when attackers imitated a popular cryptocurrency website, even getting a legitimate DV certificate for their fraudulent site that mimicked the EV certificate for the real site. They used this fake site to steal bitcoins. This is significant as large amounts of money can be lost due to phishing attacks, with more than S$7 million lost just in 2020 in Singapore. Phishing attacks account for more than 80 percent of reported security incidents globally, and are increasing in local numbers as well.
Below is an example of an EV certificate in Chrome (see examples of what EV certificates look like in each browser). Note that an EV certificate in Chrome will say “Certificate Valid, Issued to: Name of Company (US)”. If you want more details, you can click on “Certificate” for more information.
Go beyond security with EV
Extended Validation goes beyond security. It has become the baseline for any reputable site that cares about security, brand and their clients. EV makes a strong statement that your brand is committed to data security and offers the highest level of protection for your users. EV also provides stronger internal security controls, as it allows an organisation to set in place strict rules of their CA before any certificate can be issued, including who within the organisation may issue a certificate.