Why business customers should use organization validated SSL certificates

Of the three types of SSL certificate validation, which one do you understand the least? I’m willing to bet it’s organization validation (OV).

For the uninitiated, there are different validation methods for different types of SSL certificates. In simple terms:

  • Domain Validated (DV): This is the least rigorous validation method. The Certificate Authority (CA) checks to see that the applicant’s name and contact information matches what is stored in the WHOIS database for the domain name associated with the SSL Certificate.
  • Organization Validated (OV): In the case of an OV certificate, the CA performs a much more substantial validation process. This includes checking the applicant’s business credentials (through databases including the Articles of Incorporation) and even making sure that the company’s physical address matches the application.
  • Extended Validation (EV): This is the highest level of validation and can take as long as a few days to complete. The validation process includes checks of physical location, phone calls to ensure the applicant is authorized to order the certificate on behalf of the company or business represented, and more.

Offer at least an OV cert for your business customers

For individuals, a DV certificate is the most affordable and logical choice to provide simple encryption for things like logins.

But for business, a domain validated certificate simply isn’t the appropriate choice. If you have small- and mid-sized business customers, at the bare minimum, they should be using an organization-validated certificate to ensure that visitors to their website see that additional information about the organization in the certificate.

A good rule of thumb is this: if the certificate is issued to a company, then it should be one that requires validation of that company – either OV or EV. And anytime there are transactions occurring on a website, an OV or EV certificate should be used to instill confidence in the customer that their data is safe and that they are dealing with who they think they are.

10 thoughts on “Why business customers should use organization validated SSL certificates

  1. This is yet another way of cutting into a business’ profit margin and an attempt to undermine the credibility of everybody that supports that business’ online success (web master, hosting company, etc); in fact it devalues the business’ own brand.

  2. In my mind, SSL certificates are are nothing more than a racket. As long as the connection between a server domain and the client is secured by a certificate, who really cares who actually issued the certificate. The whole certificate authority system / scheme is a sham to fleece money out of the business community. Browsers should not care who issued the certificate OR, like domain names, organizations should be “authorized” to issue their own root domain certs without having to pay some organization’s ridiculous fees. $400 for an SSL certificate is ludicrous. I am not the only IT professional who feels this way either!

  3. I would bet the number of people who view the certificate before buying something on a website is…well…close to zero.

    The idea of SSL certs providing a guarantee of who you are dealing with never took on with consumers. And nothing has changed that in the last 15 years.

    While I believe it was the intent, and not just a way to “fleece” people, I think the intent has long ago been shown to be ineffective, and its time to give up that side of the SSL Certificate concept.

    I’ve never seen any value in recommending to a client that they spend more on an SSL certificate than they need to, and I’ve never seen anyone quantify a real business value they truly get, backed with hard data, from going with a more expensive certificate or provider. It’s always just stated like in this article, about “customer confidence” but with no data to back it up that customers actually even know, much less care, about these details.

  4. Studies show that consumers do indeed notice things like trust seals, and are influenced by them. Consider that rates of cart abandonment are lower when a consumer sees a recognized name on the seal in the checkout process.

    You may think you are saying your small business customer money by not recommending a more expensive certificate, but as a result they may see lower revenues.

    That said, if you feel the whole thing is a “racket” then the advice above is probably not for you and I don’t imagine that I’ll be able to convince you otherwise regardless of the data that is provided to the contrary.

  5. The commercial CAs that issue the bulk of certificates that clients trust for email servers and public HTTPS servers typically use a technique called “domain validation” to authenticate the recipient of the certificate. –Missed Fortune

  6. Well this article (and specifically the SOURCE survey it’s based on) doesn’t REALLY backup the position that consumer confidence is in ANYWAY bolstered by the TYPE of SSL cert in place on a site. The survey only received responses from half of the intended targets. The other half of the respondents responded with “Don’t know or no preference”.

    There is no data on the makeup of the normalized results used in the survey. For example: of the approx 1200 respondents, what is the breakdown of the physical and geographic demographics — ie: how many males, females, what age groups, where located, etc. This is telling information.. ESPECIALLY for sites geared towards a specific demographic (females aged 18-35 for example).

    Furthermore, several of the “top runners” in this survey were not SSL seals, but TRUST seals.. And I’d venture to guess that if you queried the respondents that chose the “winner” (Norton SSL), they’d tell you they selected it more because of the NAME BRAND recognition than any other factor.. (and the Baymard article suggests that this is LIKELY the case)

    From http://baymard.com/blog/site-seal-trust (the folks who conducted this survey)
    “Looking at the results it’s very interesting to see that the second,
    third, and fourth most trusted site seals are all “trust seals”, whereas
    the rest are SSL seals, which – with the exception of Norton – all scored rather low. This is noteworthy because SSL
    seals suggest actual technical security of the payment form (preventing
    man-in-the-middle attacks and network eavesdropping), whereas the trust
    seals often don’t indicate any technical security at all but is rather a
    certification of the company and/or its consumer relations. This again
    further points in the direction that what matters for the average user
    is the perceived security, not the actual technical security.”

    and then..

    “Furthermore its noteworthy that the two most trusted site seals, by far, are from anti-virus software brands. It would seem likely that people recognize these brands better and associate them with security, and therefore trust their site seals (which include the company logos) more.”

  7. “who really cares who actually issued the certificate”

    What if a MITM issued the certificate to themselves? How do you propose browsers verify that the certificate they are presented with is really owned by the person who owns the domain without a CA being involved?

Leave a Reply