Help and FAQ ▸ What is EV SSL?

What is EV SSL?

Extended Validation SSL - properly called EV TLS or, for websites, EV HTTPS certificates, is how websites verify their identity. For example, there are many Apple sites on the internet - selling iPhones, Apple accessories, and other related goods. Anyone can register a domain, even a domain with 'apple' in it, and make a website that looks like Apple's website.

But only the real Apple website shows 'Apple, Inc.' in browsers:

EV HTTPS certificates contain the verified legal identity, and are cryptographic proof that someone - a certificate authority - has verified the legal identity as being the person who controls that certificate.

Typical legal entities for EV HTTPS are: companies, sole proprietors, partnerships, and registered charities.

Website owners use EV HTTPS certificates to:

What is DV SSL?

In the mid 90's, the original SSL requirements specified that verification must be 'sufficient for the purposes of online commerce', hence CAs were expected to verify the identities before handing out certificates.

Users would request a certificate, filling in various details about their company, and a certificate authority was responsible for checking the identity of the company through phone directories, verifications calls, and faxes (it was the 90's after all).

The verification process was slow, but the results were that everyone knew who they were talking to when HTTPS was enabled.

This changed in the early 2000's when GeoTrust invented 'domain validated SSL'. GeoTrust scrapped the identity verification process and simply required people to register a domain in order to obtain a certificate. This is called opportunistic encryption: the connection itself is encrypted, but anyone could be on the other end of the connection. For GeoTrust though, scrapping verification requirements meant a rapid increase in their profit margins as DV certificates could be issued for close to no cost.

GeoTrust's strategy worked: they made a lot of money and were bought by Symantec, making the founders rich at the expense of web users.

The baseline and EV guidelines

Since not all CAs were following the same standards, CAs and browsers (via the CA/Browser forum, aka CABForum) began to create standards for how certificates were validated. The baseline requirements apply to all certificates, and specify the minimum vetting for all certificates: ie that the certificate owner has a domain. The baseline requirements do not involve any checks that assert the identity of certificate owners.

The Extended Validation requirements specify the identity checks required for issuing EV certificates. These change depending on the legal entity type, but for a typical company they involve government and third party business directory checks, verification calls, and inspection of the domain names involved. For sole proprietors they require manual checks of government ID too, since sole proprietors are their own legal entity.

Does EV have better encryption than DV?

No. The info in the certificate is signed using the same hashing algorithm, same strengths, and same technology. Both EV and DV certificate provide confidentiality and integrity.

Is EV more secure than DV?

Yes. EV certificates provide better authentication - specifically, they verify the legal identity of the certificate holder. DV certificates do not.

I'm a software developer - could I have a more technical explanation?

If you'd like to understand why it's important to verify public keys, want to see the differences in certificate contents, or want to see how EV compares with verification in non-HTTPS technologies, read on.