I don't know about other CAs, but at SSL.com we issue a very limited number of 
EV SSL certificates in comparison to other certificates so it's not a big 
revenue driver.

However, as a user I support EV SSL. I personally have never come across a scam 
site that displayed an EV SSL (I'm not saying they don't exist). Has anyone 
else come across a "scam site" displaying EV that's not part of an academic 

An EV SSL only connects the site domain to its registered owner, nothing more. 
After that, I can decide whether to trust that company or if more research is 
warranted. At the end of the day, the user must make a decision based on the 
information they are given. This includes reviewing the EV SSL, domain name, 
site contents and third party reviews and listings. With the removal of EV from 
the browser UI, that's one less signal users can rely on. 

For instance, my inbox receives increasingly sophisticated spam and phishing 
mailers that require me to do double and triple takes. This results in 
legitimate emails potentially being flagged as spam. One of the signals I use 
to verify linked sites within the emails is if they display EV certificates. I 
do not entirely rely on EV, but it helps to build a subconscious trust profile 
of that site along with the domain, content, site reviews and search listings. 
As a result, I've determined on a number of occasions that the emails were 
indeed authentic in part because of the EV. In this business, paranoia is 

Recently a neighbor asked me to verify a shoe site that he just purchased 
loafers from. Several red flags (ie Chanel header banner, unfamiliar domain 
name, etc) and no EV SSL prompted me to recommend he dispute the charge. Weeks 
later he confirmed it was indeed a scam site. Had the site displayed an EV SSL, 
I would have investigated more knowing the extra effort required to pass EV 
validation. But since no EV SSL appeared on the site, I didn't feel the need to 
waste any more time on the site.

I can't be the only person whose aunt, neighbor or spouse asks me to help 
verify a site. This tells me that they do not understand how to properly read 
the EV information, not that EV SSL is bad or ineffective.

I'm confounded why anyone would want less independently verified information on 
a site as opposed to more for fear EV doesn't perfectly suit their 
expectations. Well-known sites like google.com and amazon.com might not need EV 
as much as less well-known sites, but there are only a small number of these 
well-known sites. 

In comparison, the vast majority of sites are lesser-known and could benefit 
from as many validation signals as possible. I would think a local hospital or 
credit union who are increasingly targeted by phishing scams might argue an EV 
certificate would be one of the tools to help combat these types of scams. 

No single solution is perfect to eliminate online scams including EV SSL, but 
by removing the EV UI, the proverbial baby bath water comes to mind. I think 
the original intent of EV was and still remains noble. We should try to improve 
upon it, not discard it or relegate it to a virtually useless state. 

Scammers are a wily bunch, and they will always find some success in gaming or 
circumventing any system where human trust is involved. Let's try to make if 
harder for them, not throw our hands in the air and give up. At a minimum, 
consider keeping a color coded lock that would not take up any additional 
browser real estate and would give users "in the know" the EV signal. 

Otherwise, if the browsers have finalized their collective decisions on the 
matter, I do hope something better comes along that will benefit everyone. 
Treating all SSL/TLS certs as DV I think is a step backwards to 2007 when there 
was no EV, but we all knew something more than DV or OV was needed.

dev-security-policy mailing list

Reply via email to