We have written earlier about how Extended Validation (EV) SSL is an important and effective component of online business’s fight against phishing. These certs only matter, however, if sites use them.
So it’s worth taking a look at why sites would use EV SSL certificates. It’s widely understood that these certificates are more costly in budget and implementation time than Domain Validation (DV) certificates, so unless an IT team has a good reason to go with EV, we should expect them to save a little money and time. Even though the cost and inconvenience of EV is trivially small compared to other parts of the security stack, people are fundamentally efficiency- and budget-oriented. So in the absence of a reason to do otherwise, they will go for the cheapest and easiest solution.
When we talk about benefits, it’s critical to remember that authentication is not for the entity being authenticated. Read that again and think about it for a moment: Authentication is not for the entity being authenticated.
Rather it’s for everyone else. Let’s use the example of personal identification like a driver’s license or a passport. When you go to the airport, you make sure to carry some kind of official identification with you. That’s not because you have doubts about your own identity. Rather, you carry your passport because the TSA and customs officials at the airport will require it. Your passport isn’t for you; it’s for them.
So why do you carry your passport when you travel? Because otherwise they won’t let you on the plane. In other words, the system has motivation built into it for individuals to be authenticated. If we want to fly, we need to be authenticated. Our motivation isn’t to be confident in our own identity; we each know who we are. Our motivation, rather, is to be allowed on the airplane.
The same situation exists for authentication of online sites and services. IT professionals won’t invest their time and effort in telling themselves that they’re real because they already know that. To invest in authentication, they need a motivator. Let’s explore some of the possible motivators.
One potential motivation is simply to offer a more secure experience. EV SSL gives site visitors more information to differentiate real sites from fake ones, which undermines the success of social engineering attacks. In an ideal world that would be all the motivation anybody would need to use EV SSL.
Many, many businesses do use EV for exactly this reason. Sometimes it’s just because they believe that protecting site visitors is good customer service, and that’s reason enough. Sometimes its because they themselves are potential victims through spear phishing attacks aimed at their own employees, vendors, suppliers, or other ecosystem partners. Sometimes it’s because they seek to minimize the costs of account takeover or other service problems stemming from attacks.
Online financial services ranging from payments to banks to credit cards and securities trading are pretty darn good about using EV SSL. That’s because they may be on the hook for making customers whole if they fall victim to this kind of attack. So these online financial services feel direct P&L motivation to minimize this class of problem.
Unfortunately, it’s not an ideal world. Many online businesses don’t appear to have connected the dots on how it’s worth their while to protect customers from criminals. Retailers, social media sites, and a lot of other online businesses don’t feel acute impact from a customer’s victimization at the hands of phishers. Stolen credit card details are used for all sorts of purpose and they may never actually come back to the retailer that originally enabled the theft. And while the customer will be inconvenienced by the credit card theft, it’s highly unlikely the blame will ever fall on this retailer.
Ditto for many other sites, where the primary phishing activity is to steal a login credential, not to take over that particular account but rather to check other more valuable sites (particularly in the financial sector) for similar name/password combinations. If a sloppy site enables your credentials to be stolen by a phisher who then uses this information to gain access to your bank account, the site will never feel the direct impact of that sloppiness.
So while the security benefits of EV on their own are motivational, many important phishing targets don’t gain direct benefits from the improved security brought about by EV. And that creates a gigantic prisoner’s dilemma on the web. While we’d all be better off if all sites used EV, many individual sites that skip EV stand to save money and inconvenience while experiencing no real downside. Therefore, a lot of them do so, and we all suffer.
Therefore, for EV to gain widespread adoption we need more motivators than just security.
Another strong potential motivator for a subset of sites is compliance. Many important compliance standards such as PCI-DSS and HIPAA/HITECH require that sites take measures to protect their customers from loss of sensitive information such as credit card numbers, PII, PHI, and the like. As EV is a stronger protection against this kind of theft than an OV or DV cert, many security and governance departments determine that EV is the most bullet-proof way to ensure successful auditability against these standards.
It happens that the overlap between businesses who are strongly motivated by compliance and those that are strongly motivated by security for its own sake is very high. Financial use cases fall firmly into both these camps, so we’re not adding many sites this way. The main gain here is that healthcare and pharma have strong HIPAA/HITECH compliance requirements and are better than average users of EV SSL.
Once again, the footprint of sites that are motivated to present their authenticated is still far short of ubiquity. Many sites will need an additional motivator.
Business is harshly pragmatic. Every business site exists with some end goal in mind. If the business is an online retailer or SaaS company, the goal is obvious. They’re here to sell or deliver goods and services. But every business site has a goal. Otherwise the company would not invest the money, employee time, and focus to create and maintain it.
These goals can include:
For each of these goals, we could calculate economic value. For example, enabling superior customer service translates to increased customer satisfaction and Net Promoter Scores, which in turn translates to improvements in renewal, expanded share of wallet, and word of mouth. Increased service efficiency allows the same service level for the same number of customers to be provided at lower costs. Improving lead generation can reduce cost per lead and add top-line revenue. Increasing use of advertising-driven sites allows more ad units to be sold. And so on.
In each case, improving performance against this goal is directly beneficial to the business. And the security indicator of the green address bar, including the company name in green, can be expected to in each case to do just that. Improving user confidence will increase site usage and propensity to engage in transactions, which in turn drives all the objectives listed above.
While the ROI math is different for each of these use cases, because the effort and budget involved in obtaining EV SSL certificates is trivially small, expected return on the investment is huge. For as little as a few hundred dollars per year and an extra day or two awaiting certificate issuance, any measurable movement in online business KPIs will be more than justified.
A slightly subtler point in the same spirit as increased site usage is the impression that a site makes upon its visitors. By displaying a visible security indicator, a business is signaling several important facts to its site visitors. These facts include:
Signaling these messages during an online experience will have a halo effect on the brand’s overall perception. Considering the very large investment made by many companies in creating these brand impressions, EV once again is an extremely easy and cost-efficient way to contribute to these efforts.
All of these benefits depend on the presence of a visual display in the browser.
Browser manufacturers have the opportunity to increase the effectiveness of EV by ensuring the difference between EV and non-EV certs is clearly visible and that business names and other identity information are easy for the user to see. Or browsers could diminish or hide EV certificate information and take away from these benefits. To improve security for their users and the internet as a whole, browser manufacturers need to choose the first path and help users stay safe from online counterfeits of the sites they trust.