Practical difference between a DV and EV/OV SSL certificate?

TommyPeanuts

11/24/22, 8:10 AM

When I view a site's SSL certficiate from a browser, it always says in the "Issued to" section that the organisation is not part of the certificate.

If end users cannot independently verify my organisation (I assume the browser now does that for them), what is the practical value of having a OV/EV certificate? Is it for some other reason? If so, what?

I see that at the time of writing Comodo says that that not only does OV/EV show the organization details in the certificate, but:

In addition to the secure padlock symbol, EV SSL certificates activate the “green address bar“ in select web browsers by displaying the authenticated company name in green adjacent to the web address.

I don't think either statemet has been true for about a couple of years now for most browsers. They list some other benefits, but these seem marginal ("Comes with the ComodoCA Trust Logo" - is there much evidence that end users know or care about that?).

EDIT: Since I posted my question, I now see that there are some sites that have an organisation in their certificates: uk.yahoo.com (albeit showing as "Oath Inc") and www.bankofengland.co.uk. This obviously negates my initial point. But I think my main question still stands. Curious that Google don't use EV though.

244

2 + 1

security

ssl-certificate

dave_thompson_085

11/24/22, 11:01 PM

For anyone who didn't know, Yahoo was acquired by Verizon which combined it with AOL and HuffPost into a subsidiary called Oath and is now trying to sell that. Hence the naming, for now. Validating the organization running a website is only useful if the organization exists long enough for people to remember it, which in modern business is becoming rarer and rarer :-) Google's nonuse is less curious because Google has been working to _downplay_ EV in Chrome; see https://security.stackexchange.com/questions/52387/does-google-use-extended-validation-certificates .

Score:2

Server

Esa Jokinen

11/24/22, 9:07 AM

I will let Troy Hunt's "Extended Validation Certificates are (Really, Really) Dead" (August 2019) answer your question. The older article has all the examples with pictures, but to summarize:

The only proponents of EV seemed to be those selling it or those who didn't understand how reliance on the absence of a positive visual indicator was simply never a good idea in the first place.

– – no more EV and the vast majority of web users no longer seeing something they didn't even know was there to begin with! Oh sure, you can still drill down into the certificate and see the entity name, but who's really going to do that? You and I, perhaps, but we're not exactly in the meat of the browser demographics.

Comodo is free to state anything while trying to make profit with this product as long as they can.

Also, criminals could use the ComodoCA Trust Logo on e.g., a phishing site as they are already breaking the law and, therefore, it would not add much to their burden of sin.

0 + 0

Score:1

Server

Håkan Lindqvist

11/24/22, 11:18 AM

An OV/EV certificate would contain the O (Organization), C (Country), etc values (part of that the CA states that they have validated), all visible to any user who actually decides to look at it.

In more detail, if we look at two different major branches of browsers:

For Chrome (92): for EV it shows directly in the overview that pops up when you click the padlock symbol "Issued to: O [C]" (Organization name and country)
For Firefox (90): for EV it shows directly in the overview that pops up when you click the padlock symbol "Certificate issued to: O" (Organization name)

(The "green address bar" mentioned in the question is in reference to a historical UI element that showed essentially the above information directly in the address bar.)

For Chrome and Firefox: for EV as well as OU, if you click through to view the actual certificate and go to the "Subject" section, you would have the full list of claimed information about the subject. O (Organization), OU (Organizational Unit), L (Locality), S (State/Province), C (Country), whatever else may be included.

So it is all there and can theoretically be inspected by any end user. The problem in this regard is that it is very rarely actually viewed by users in practice.
I suppose there is a slightly higher chance that the summary for EV certs (with O and sometimes C) is seen by a user, but even that is a real long shot.

And for completeness, any of these certs only contain the values about the subject that have been validated by the CA, meaning that for DV certs, the subject section will not have any of this information as the CA has only validated that the subject controls the domain name in question. The useful part of a DV cert would really only be the SAN section, but that is what the browser is already validating for you and throwing a fit if there is a mismatch.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Practical difference between a DV and EV/OV SSL certificate?

TH: ความแตกต่างในทางปฏิบัติระหว่างใบรับรอง SSL ของ DV และ EV/OV?

RO: Diferență practică între un certificat SSL DV și EV/OV?

RU: Практическая разница между SSL-сертификатом DV и EV/OV?

VI: Sự khác biệt thực tế giữa chứng chỉ SSL DV và EV/OV?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.