The Importance of Authentication in SSL

Browsers have evolved to offer a better user experience and greater attention to security. Perhaps most importantly, they now display a security warning to users when they land on a website that lacks encryption:

This is a step forward to a safer Internet, but encryption is only part of the security equation. 

Without a means to verify the owner of that website, the user can’t be sure who they are sending their information to. 

When SSL certificates were first introduced, they served both these critical purposes:  

1.  Encrypting the data in transit

2.  Authenticating the website to which the data is being sent

They were issued by a small handful of Certificate Authorities (CAs), accredited and compliant third parties able to provide both encryption and authentication of your website. 

But as the Internet grew, so did the number of CAs in the market, and the variety of SSL options. And what was the main differentiating factor among these certificates? The level of authentication they provided.

Today, SSL products range from free “encryption-only” certificates, which can be registered in a matter of minutes, to Extended Validation (EV) SSL certificates, which, as their name suggests, involve a thorough validation (authentication) process as part of their registration. 

When choosing an SSL certificate for your site, or helping a customer select one for theirs, your main question should be: what level of authentication do I need? After reading this blog, the answer will be clear.

 

Minimal Authentication: Domain-Validation (DV) Certificates 

DV certificates are often described as “encryption-only” because they don’t provide confirmation of who the website owner really is. To register a DV certificate, the website owner simply needs to prove ownership of the domain name(s) they are trying to secure. 

Think of a DV certificate like a library card: they are easy to obtain and aren’t considered a credible form of identification. 

 

 

When to use a DV certificate

These certificates are sufficient if you’re securing a page just to maintain browser compliance (and avoid those warnings), or if you’re hosting a site that purely provides information and you want it done securely.

 

Basic Authentication: Organization-Validation (OV) Certificates

Before issuing an Organization-validated certificate, the Certificate Authority vets the organization and individual applying for the certificate. If a website visitor chooses to view the OV certificate, they’ll find this verified company information included in the details. 

You can think of an OV certificate like a driver’s license: obtaining one involves a bit more hoop-jumping, but they are better trusted as a form of identification. 

 

 

When to use an OV certificate

If you collect any basic personal information from your users, for example, login credentials, they’ll likely want to know who they are sending this information to. An OV certificate from a reputable CA may provide sufficient authentication and assurance in these cases. 

However, Extended Validation certificates (see below) are often a better fit for e-commerce pages or business-critical sites where consumer trust is particularly important.

 

Advanced Authentication: Extended-Validation Certificates

Extended-validation (EV) certificates involve the most rigorous authentication process and, consequently, provide the highest level of assurance to website visitors. 

What’s more, as mentioned above, they do this in a very obvious way: a green address bar that includes the name of the company. Finally, the CA Browser Forum, the SSL industry’s governing body, sets specific guidelines to govern the registration and authentication process for EV certificates. 

These factors combine to make EV certificates the gold standard, and the assurance they provide becomes ever more essential as the average Internet user becomes savvier and security standards rise. 

Continuing with our analogy, EV certificates can be thought of as passports: they are internationally recognized as the most trusted way to verify a website owner’s identity.

 

 

When to use an EV Certificate  

We recommend using an EV if you’re looking to establish a high level of consumer trust or collecting sensitive information, which could range from login credentials to national identifiers, to credit card information. While not all browsers treat EV certificates the same way, for users, the additional visual cues can inspire trust and confidence to proceed with the transaction or activity.

 

Looking to better market your SSL lineup?

Our partners at DigiCert have some great resources to help you educate your customers and help them find the right fit.  Through your partnership with us, you have access to an array of brands and certificate types to help make sure you properly meet the needs of your specific customer for their specific project. You can view our SSL offering here.

 


This post was sponsored by DigiCert, an OpenSRS partner, and leading Certificate Authority.