Extended Validation (EV) SSL and Small Businesses


I’m Markellos Diorinos, and I am a product manager with the Internet Explorer team. Yesterday I read a story in the Wall St. Journal about how some small businesses, such as the featured Aunt Joy,  will receive a lump of coal this Christmas, as they are unable to get the new EV SSL Certificates. Kelvin and Rob have previously discussed EV Certificates, but I wanted to share some of my thoughts with you.

Just like regular SSL certificates, EV SSL certificates will only be used when sensitive information is transferred online, e.g. while entering credit card info or logging into an email account. So don’t expect to see a green bar all the time – only when you are about to make a trust decision and enter sensitive information do you need to look for the green bar, to confirm the identity of the recipient of that information. Even on banking sites, only the online banking portion of the site will use the EV SSL.

The EV SSL Guidelines are an industry-wide initiative of the CA/Browser forum, with the participation of many browser vendors and certification authorities. The current guidelines cover most businesses, except for some types of small businesses that are not incorporated (sole proprietorships, general partnerships and individuals). The guidelines set down rules for CAs to confirm a requestor’s legal existence and identity, and their control of a domain. The Forum members  found that this was achievable for incorporated entities, but much more difficult for these smaller businesses where legal registration practices vary, often from county to county in the US and from country to country. Additionally, anyone’s ability to verify individual identity is even more difficult, particularly for a transaction like SSL certificates that are typically made online, not in person. Given the benefits that EV Certificates bring for consumers and businesses alike, it only makes sense to make EV available as soon as possible, and keep improving the guidelines to cover all types of businesses.

Until a version of the guidelines that covers all businesses becomes available, those not covered can still use regular SSL certificates, or use EV SSL through one of the following options:

· They can partner with a 3rd party for transaction processing, such as PayPal

· They can use their web-hoster or some other 3rd party for hosting their secure pages

· They can use one of the available ‘store-in-store’ systems to host their presence (such as eBay or Yahoo stores).

Aunt Joy thinks that she will not be able to use EV SSL for her business – but she should take another look in her stocking. Aunt Joy apparently never got an SSL certificate in her own name – but instead used two of the alternatives outlined above: she has her own web site, with secure pages hosted by her provider using their SSL Certificate, and a ‘store-in-store’ with eBay Stores. This means that with the availability of EV Certificates (and as soon as eBay and her web-hoster upgrade to EV SSL), both of Aunt Joy’s stores will be able to light up with the green address bar and new identity information during the checkout process. What’s best is that Aunt Joy – and many small businesses like her – will enjoy the benefits of EV SSL for their business and for their customers without having to do a thing!

It appears that Phishers may be the only ones who will have to make do with a lump of coal this Christmas.

Markellos Diorinos
IE Product Manager

Comments (17)

  1. jackson says:

    Just how many "Program Managers" are there at Microsoft’s Internet Explorer team? Yikes!

    Better question, how many developers?

  2. Milo says:

    In other words: CAs will start issuing EV SSL certificates, which are backed by the promise that the CA does their ultra-super-duper bestsies to ensure that the business is who they say they are.

    But not if it’s too hard for the poor old CA.  Wouldn’t want them to earn their money.

  3. I think the general complaint is that SSL in general is too cost prohibitive, and EV just adds another level of costs to an already burdening process.  The web is a cheap medium, until e-commerce comes into effect.  Companies like PayPal only work for certain countries, and do take a nice percentage.  Not all customers like it either.  SSL is a confusing thing to purchase (from who?  What browsers support what root cert?  Chained Cert?  Warranty?), and can cost a fair amount to get a compatible cert that isn’t chained like a boat anchor.  EV just makes the selection process more difficult.

    If your business is tech related, may not be so bad, but if your not, and tech his generally a burden to business… it’s another large roadblock to ecommerce.  Something that helps the Walmarts.

    Still waiting to see a truly affordable, and well trusted root that supports EV, and isn’t chained to the point of making a sysadmin cry.  I think at that point, many businesses will take the plunge and join in.

    Until then, I think it’s more of a Truste attached to SSL.

  4. James says:

    Yeah, what Robert said. I want a system that assures consumers that the small business I’ve never heard of is totally legitimate, and I want that system to be dirt cheap and easy for legitimate small businesses to sign up for. (But, of course, also impossible for scammers and illegitimate businesses to enroll in.)

    Oh, and a pony.

  5. Stuart says:

    Surely if a small business can simply use a third party to gain access to an EV SSL certificate then wont the third party need to verify that the small business is valid also? If not then surely all responsibility then rests with the third party.

  6. Geoff Van Brunt says:

    I think EV certs are simply a cash grab by the major CA’s. Originally the excuse for them charging large prices for "old" certificate was because they had to "verify" a business etc. What a crock. Some charge over $1000 for a single server certificate when all they are doing is generating a cert.

    Oh yeah, they are supposedly protecting the cert, and hosting the revocation list etc. But then again, didn’t Veri-Sign give someone Microsoft’s certificate a few years ago? I sure hope the "new" certs are protected better…

  7. martin says:

    I had the same thought Stuart had while reading the story … but how much of a problem the 3rd party thing is depends a lot on how the eBays/Yahoos of the world treat the data … if they never pass on my CC number to Aunt Joy, then I don’t really care that Aunt Joy is piggy backing on eBay/Yahoo’s cert.  I’ll "know" that Aunt Joy (not that she would do this) isn’t going to go shopping with my CC number, because only eBay/Yahoo got it.

    Why don’t I care that much about EV in general?  Because even with EV, I still don’t know that I can actually trust who I sent the information too.  I can just feel a little bit better that they managed to convince a CA that they are who they say they are.

    And I’m not sure I know if that really buys me anything at all … I mean MAYBE it’ll make it easier for me to pursue legal action against the correct people when they mishandle my data or otherwise don’t fulfill whatever obligations they might have to me (sending me a product I purchased, etc) … but probably not … am I going to take a screen shot of every green bar I see in case I need to say "of course it was YOU I sent my SSN to, the bar was GREEN, and I don’t enter my SSN unless its GREEN."

    To me the issue with the whole SSL thing is that users have somehow been trained to think that it means they can trust who they’re dealing with, and that will maybe get worse with EV (of course they can be trusted, they’re GREEN!) … which is no more true than it is to think a notarized signature means you can trust the person whose signature it is not to try to screw you over.

    If the idea of EV actually IS to provide an assurance of trust, then I look forward to seeing the new industry of CA malpractice insurance. 🙂

    The whole thing definitely makes it a lot more attractive for Bad Guys to try to work out ways to fool people into installing root EV CA certs though.

  8. Certificates are getting out of hand says:

    everything comming out of microsoft lately is loaded with certificate requirements. WCF is a nightmare because of it. All i want to do is hit F5 and run the service to test but no, you need SSL or certificates all configured etc… Certificates are not much securer than a username password combo since they can be exported and installed anywhere.

    They are a huge hassle to use and manage. Not to mention they cost so much to buy.

  9. PatriotB says:

    @jackson — this guy’s a "product manager" not "program manager".  Product manager is marketing, whereas program manager is actually working on the product.

    See http://members.microsoft.com/careers/careerpath/marketing/product.mspx vs. http://members.microsoft.com/careers/careerpath/technical/programmanagement.mspx.

  10. Thomas Finch says:

    A shakedown? We just received our offer for the new EV SSL certifate at $900 per year (versus $150 for the SSL cert).

  11. Abel Lineberger says:

    And yet another headache for all the users of Microsoft’s own Small Business Server which uses certificates + username/passwords for logging into Remote Workplace.  And yes SBS can generate it’s own certificates but IE7 does a wonderful job of driving away even the registered users from a self generated certificate.  I hate to think what it will look like when your SBS certificate isn’t EV.  

    This is ridiculous.  

  12. @Abel Lineberger

    EV SSL does not change the way IE7 loads pages from Small Business Server. Any page signed with a valid, installed root will show the lock in the address bar of IE7.

    You may want to give your users that experience on your self signed SSL pages. You can install the root for your certificates by following these instructions:

    http://www.microsoft.com/technet/prodtechnol/ie/reskit/6/part2/c06ie6rk.mspx?mfr=true

    To make the process easy for your users, you could consider using the IEAK or Group Policy to package up the roots for them.

  13. This is a great service for large corporations and a great way to set small business back several years.  Clearly this is saying that big business is safer and more trustworthy than small businesses.  The argument that a sole proprietorship, amount others, are too hard evaluate is nonsense, what it means as nobody wants to put anything into investigating a company, just look it up in Dunn and Bradstreet and give the Ok for $900/year.

    I am a sole proprietorship, I pay workers compensation, 20 different kinds of taxes, I have bought SSL certificates, taken my clothes off to get merchant accounts, and the list goes on, but the fact that I am not a scammer or if I really exist cannot be ascertained?  Nonsense!  Oh yes, I sell garden and pet products not you big scam products, also not big margin products.

    What clearly shows the CA’s true colors is that a big corporation can take on a small business….please give me some air here!  As a consumer that means the ONLY companies you can trust is the big corps because look they can vouch for the small guy.  I won’t go into the issues around how corporations lake any ethical or moral head because they only have one value and that is grabbing the almighty dollar, customer service, honestly and all that are just pesky things that they have to do to make money, if the do not have to do them they don’t.  I can only how that this scam is exposed for what it truly is.

  14. TMaster says:

    I have to say I’m a bit concerned as well. I’m aware enough that a regular encrypted traffic (that’s not self-signed anyway) is probably safe, and after checking myself would trust the site – but I don’t know how Joe Average is going to respond.

    Of course, there are ways around the problem of not having a green bar; by using eBay, for instance. However, it’s a sad thing that these EV certs are probably going to be a real hassle to obtain, not to mention the undoubtedly huge (no, I don’t mean the Microsoft-huge here, I mean the Aunt Joy-huge) cost associated with the process.

    Good luck to all you guys who might see Bad Things happen due to EV certs being introduced.

    I’m not really convinced why regular HTTPS (which has been signed by a CA trusted by IE, anyway) cannot have a green bar.

  15. CloneZero says:

    I have more of a question on how the new certificates are handles by the browser, both IE7 and older version such as IE6/5.5/5.  Does anyone know of a site where we can test out how browsers behave?

  16. Ian Ringrose says:

    I think that EV SSL should ONLY be used by bank etc, e.g. sites that let people take my money if they get my password.  Normal SSL is good enough for sites that JUST ask for me credit card number, as it’s the credit cards companies’ problem if someone misses uses my card not my problem.  

    My bank should be asking me to confirm the transaction on there website BEFORE handing the money over, not trusting a company just because have my credit card number.  What every happen to “verified by visa”?

    If EV SSL become too common then they will not be useful, as “green bar” will no longer mean trusted bank.  

    Maybe IE should never display a green bar on a web page that is accessed directly or indirectly from a link in an email message even if the page has an EV SSL.  After all I have the URL for my bank in my favorites and would never consider accessing it another way as the risk is too great.

  17. More Gumbo says:

    For the SECOND week in a row, I’m heading into town for a lunch meeting at Bayou City Seafood and Pasta. This time, I’m working with two guys who developed the best stock trading course I’ve ever seen.

Skip to main content