Tips on website validation

Photo of a rusty lock

Everyone knows about the ‘lock’ icon on a browser. You select a shortcut or type in a URL in your browser, the page content is displayed, and the lock symbol indicates that the connection between you and the service is encrypted. You can enter a password or bank account information or Amazon purchase and be confident the information is hidden from prying eyes somewhere on the Internet. That’s valuable protection to have.

There’s another feature besides encryption that indicates that you are protected. This is ‘authentication’ of the website – when a site is authenticated you can be confident that the site you’re connected to is where you want to go and not a fake or phishing site. That is valuable – you don’t want to be entering your account information into a site that is pretending to be, for example, your bank website or the university’s UTORid login site.

To provide good website authentication, services use an ‘Extended Validation’ or EV digital certificate. When you connect to such a site, you’ll notice the browser will show a green shading where the URL is – the green shading, and the lock, is your indication that the site you are connected to is where you want to be. Why? Because the organization that runs the service that obtained the Extended Validation certificate has to go through a number of procedures to validate their identity with the Certificate Authority (CA). These procedures include providing:

  1. Names of officials, mailing addresses, telephone numbers of the business entity that runs the service.
  2. A business identifier, such as a Dunn and Bradstreet number, which indicates that the business has endeavored to prove its validity.
  3. A legal letter from a business lawyer, vouching for the business.

The CA checks all this information before issuing the digital certificate for the website. So the next time you access your bank website or log in to the university service using your UTORid, look for the ‘green bar’:

It’s one more item to help you be safe on the Internet.

You might ask: why doesn’t every website use an Extended Validation certificate? Let’s step back and look at digital certificate validation a little closer. There are three categories of validation for digital certificates. They are:

  • Extended Validation (EV)
  • Organization Validation (OV)
  • Domain Validation (DV)

We’ve talked about EV. An Organization Validation certificate undergoes a less stringent validation process before being issued by the CA. A Domain Validation certificate undergoes a very basic check consisting of the CA finding the registrant of the website’s domain name and sending an email request to the specified address. The response authenticates the order of the certificate by the owner. Some points about these categories:

  • The higher the level of validation, the higher the cost to purchase the certificate from the CA. DV certs can be very inexpensive or free. The ‘Let’s Encrypt’ verification, for example, is issued at no charge.  There is evidence[1] to show that DV certificates are being used for malicious purposes because of the minimal cost and the very weak validation procedure. The evidence also shows that OV and EV certificates are not used with malicious sites.
  • The EV certificate is easy to identify by a user – the ‘green bar’. However, there is no visual identifier on a browser available to distinguish an OV certificate from a DV certificate. So there’s not much difference from a user perspective between an OV or DV certificate. OV certificates have value over the DV certificate from an organization’s perspective though. Each OV certificate will contain common organization information. The organization can use its IT infrastructure management capability to check site certificates – verifying that they came from the organization. That, in itself, provides a strong measure of validation at a reduced cost compared to the EV certificate.

To conclude, here are some points for users and service providers to keep in mind when using certificates:

  1. When you’re shopping or banking online, and you’re prompted to enter sensitive information such as passwords, credit card or banking information, look for the ‘green bar’ on your browser. Not every browser shows the green indication in the same way (or at all!) – most do.
  2. If you’re a service provider, use EV certificates to protect websites that handle the most sensitive information. Use OV certificates for everything else.
  3. Use DV certificates for test or personal sites.

[1] https://casecurity.org/identity/