I mentioned that I recently gave a Web seminar with some lively questions at the end. I'll present some of the questions I received, with my responses. Because I received so darn many questions, I'll break this one into multiple postings.
Q: If EV is so far ahead of standard SSL (in terms of security/authentication), do you think the PCI industry will mandate EV in near future?
A: I certainly hope so. EV is a definite improvement to a consumer's ability to protect herself against credit card theft, and the PCI standard is all about reducing credit card theft. It's not only in the interest of the consumers but also in the interest of the issuing banks, who usually are the ones that wind up eating bad credit card debt.
Q: What is the cost of implementing EV?
A: Costs break into two pieces. The first is the cost of the certificates themselves. EV certificates are more expensive than standard certificates because the certificate issuer needs to support an entirely new authentication and auditing process. You can see the prices for VeriSign EV SSL Certificates here.
The second cost is the project itself. For whatever services you plan to roll out EV certificates, you will need staging and QA, possibly some development, and eventually installation and rollout of the new certificates. Each organization needs so size this project for itself.
Q: How much more secure is Extended Validation SSL as opposed to old-style SSL?
A: Let's be clear that the security advantage of EV SSL is in its defence against social engineering attacks like phishing. All of the classic PKI features of the certificate (encryption, revocation checking, expiration management, etc.) are the same as standard SSL.
It is important to note that wildcard certificates and durations longer than two years are disallowed by the EV standard because they're considered to be less secure from a PKI perspective.
Q: What prevents the hacker or malware to copy the EV padlock & name of the company in green color on the right side of URL?
A: That area is controlled by the browser, so presuming that the hacker is copying the green address bar and other EV interface conventions into the browser is tantamount to saying that the operating system on that client has been compromised. Well, once we're able to modify the behaviour of a client system without the user's knowledge, then there are much easier ways to steal information than setting up spoof sites and sending out spam e-mail and creating false green address bars in hopes of collecting information. At that point all you need to do is put a key logger on the client system and steal the information users enter when they go to the real sites where they really do have accounts and do business. I find it hard to believe that a purveyor of malware will go to all of the trouble of modifying the OS to show green address bard on the site when that same purveyor need merely use the tried-and-true keylogging capability that has existed for years.