SSL certificates create a secure communication tunnel by encrypting the data sent between a client and server, or between two servers, to prevent cybercriminals from modifying data.
There are three standard types of SSL Certificate issued by Certificate Authorities: DV, OV, and EV. Extended Validation (EV) SSL certificates provide the highest assurance that the domain is NOT associated with a bad actor. When users see a green or company-branded address bar next to the URL, they can know that they are on a trusted domain.
The process for a Certificate Authority (CA) to issue an EV SSL certificate is more stringent than with DV or OV certificates. The CA checks that the requesting business is a legal entity, and the validation requires sufficient disclosure of business information to perform this verification. There is an additional human intervention where the entity is contacted via phone to verify its identity. The processing could be several days, depending on the requestor’s availability during the telephone verification phase.
EV Certificate Authentication Process
EV shows users that the website employs best-of-breed security measures to protect transactions and ensure compliance with standards and regulations.
Before issuing an Extended Validation certificate, the Certificate Authority follows a seven-stage process based on guidelines determined by the CA/Browser Forum.
EV Enrollment: Verifies that the applying person is indeed an employee of the company or organization, and he/she is authorized to proceed with this certificate purchase.
Organization Authentication: Verifies, via government registration information, that the applying organization is a legally registered entity and that it is active in the registered location.
Operational Existence: Verifies that the organization has been in existence for 3+ years. If not, then additional documents must be required (intended to complicate the process for cybercriminals attempting to up shell companies to obtain EV certificates).
Physical Address: Verifies that the organization has a real physical address in its country of registration.
Telephone Verification: Verifies that the organization’s telephone is a working phone number.
Domain Authentication: Verifies that the organization is the rightful owner of the registering domain.
Final Verification Call: CA calls the applying organization contact to verify the EV application.
Given the rigor and information disclosure involved, cybercriminals are statistically far more likely to apply for DV or OV certificates than undergo the vetting process to acquire an EV certificate.
While no CA can know the “intent” of an organization seeking an SSL certificate, the process above strives to vet the legitimacy and authenticity of the domain at the time of issuance. EV is one of the best (visible) trust indicators in place today.