Little green idol
A press release from VeriSign informed me that just over half the people who access the internet do so using an EV SSL-enabled web browser client, most of course being Internet Explorer 7 users (47.1%) with 5.7% using Firefox 3. Opera 9 also comes EV SLL-enabled, although I doubt that will improve its tiny share. A statistic not included in the VeriSign release – because I just made it up – is that 50% or more readers of this column have absolutely no idea what EV SSL-enabled actually means, and are fumbling for Google or Wikipedia right now.
Well, the EV bit stands for Extended Validation, while SSL still stands for Secure Sockets Layer. EV SSL is needed, so the argument goes, because there are no generally accepted standards for organisational data verification via certificates. Some site owners employ a graphic of the SSL padlock on their pages, which has helped confuse the real significance of the padlock icon. Throw in the obfuscation of URLs due to dynamically-generated content, which results in ever more complex and obscure page addresses, and it’s little wonder that end users get their knickers in a twist over security and trust issues.
What was needed was some accepted method of providing clear and obvious information about the trustworthiness of the site you’re doing business with, and so a bunch of browser developers and certification authorities got together to specify EV SSL. This is an open standard, established by the CA/Browser Forum (see www.cabforum.org/certificates.html) and intended to provide a measure, or rather an improved measure, of the authenticity of the digital certificates requested in order to secure a web-based transaction. That’s how the CA/Browser Forum describes the function of EV SSL certificates, but you might prefer to think of them as those things that turn your browser address bar green to show that you’ve arrived at the site you were intending to visit, and not at some cloned mirror-site operated by fraudsters. Or at least that’s the idea.
I have a problem accepting VeriSign’s 50% milestone for EV SSL certificates, though. For a start, that statistic refers to potential rather than actuality: it means that more than 50% of browsers by market share are in principle capable of distinguishing between ordinary SSL certificates and Extended Validation versions. But according to VeriSign itself only around “6,000 websites already rely on VeriSign EV SSL certificates”, so you can probably guess the big spanner-shaped question that I’m about to throw into the works – if there are millions of websites out there but only 6,000 of them are using EV SLL, how exactly does this make us feel better protected from those who’d steal our data?
The situation isn’t quite as dire for VeriSign as it initially appears, because first you have to strip away from that the millions of websites that have absolutely no transactional component at all. Think about it, how many business-orientated sites that require you to share personally identifiable information (PII) – be it in the form of a credit card transaction or a membership login – do you visit compared with those myriad sites that you just skip through without having to reveal any of your PII?
Box of poo
Tim Callan, vice president of SSL marketing at the VeriSign SSL business unit, says on his blog (https://blogs.verisign.com/ssl-blog/2008/08/over_50_of_client_systems_are.php):