MRC's Extended Validation Certificates Recommendation Flawed

The threat of identity theft when shopping on-line still keeps some potential shoppers in brick and mortar stores. In attempt to boost consumer confidence in on-line shopping, The Merchants Risk Council, who mission statement is to "to make the internet a preferred place to shop and sell", is recommending that e-commerce sites adopt extended validation certificates in place of their current SSL certificates. Unfortunately, the recommendation falls flat.

Extended validation (EV)certificates offer little over SSL certificates issued by certificate authorities. When you purchase an SSL certificate from a CA, they will typically check to ensure that you are the authorized person requesting the certificate for the domain. The details are referenced in each certificate authorities Certification Practice Statement and Certificate Policies. With EV certificates, the certificate authority is supposed to further verify that the company is an actual business. If the business is verified, the EV certificate is issued. Internet Explorer and Opera, when seeing a valid EV certificate will turn the address bar green. Otherwise, the address bar remains neutral. Invalid certificates turn the address bar red. Green good, red bad. Neutral OK.

That's fine in theory, but the e-commerce industry spend years telling consumers that a yellow lock in the browser was good indication of a secure connection. Add in the various logo programs like Scan Alerts Hacker Safe which audits web sites and Verisign Secured programs which indicates that the SSL certificate was issued by Verisign. Those two very different programs compound the confusion. Most consumers simply won't do the research to suss out the meaning of logo.

There are many reasons why unsuspecting users fall prey to phishing scams—scams are sophisticated and users are largely uneducated about the various problems. Both problems are exacerbated by implementations in browsers that are often difficult to understand by non-technical users. That is an extremely difficult problem to solve. A January 2007, a joint research paper by Stanford University and Microsoft drives the point home that extended validation certificates made no difference in a users ability differentiate a legitimate web site from a phishing site.

It's time to stop offering up EV certificates as a reliable means for consumers to differentiate a legitimate site from a fraudulent one and focus energies towards methods that will actually help consumers to determine legitimate sites.