SSL certificates are not the same as the more secure TLS: choose the right TLS certificate for the right needs.
Consumer trust is essential for every business, especially more so in the digital economy which is expected to grow by US$500m. It is hence important for businesses to build this trust through proper cybersecurity practices.
Research by DigiCert shows that as online fraud grows, consumer digital trust in organizations is being impacted. For businesses to boost trust, they need to offer highly-secure digital transactions utilizing Transport Layer Security (TLS, but still commonly referred to as SSL) certificates that not only encrypt data in transit but provide a high assurance of the identity of the website owner.
Such digital certificates help to protect data in transit from unauthorized access by a cybercriminals. To help businesses to choose the right type of TLS/SSL certificate to gain consumer trust, DigiCert has some tips to ensure authentication, encryption and data integrity.
Three certificates for different security needs
There are three types of TLS certificates: Domain Validation (DV), Organization Validation (OV) and Extended Validation (EV). Certificate authorities (CAs), like DigiCert, validate each type of certificate to a different level of user trust.
1. Domain Validation Certificate
Domain Validated certificates are checked against a domain registry to prove ownership of the site domain. However, DV certificates do not offer identifying organizational information. Therefore, it is not recommended to use DV certificates for commercial purposes. They may be the cheapest type of certificate to get, but they provide no authentication value in terms of who is behind the website.
Site visitors cannot validate if the business identity is legitimate via the certificate, leaving them more exposed to online fraud. Accordingly, DV certificates should be used only where authentication is not a concern, such as protected internal systems.
An example of a DV certificate in Chrome (after clicking on the padlock):
2. Organization Validation (OV) Certificate
To receive an OV certificate, organizations are authenticated by the CA against business registry databases hosted by governments. CAs may require certain documents and contact personnel to ensure that OV certificates contain legitimate business information. This is the standard type of certificate recommended on a commercial or public-facing website. An example of an OV certificate in Chrome (after clicking on the padlock):
3. Extended Validation Certificate
EV certificates add additional validation steps and offer the highest level of authentication to safeguard your brand and protect your users. While not every site on the web uses EV certificates, they are used by the world’s leading organizations to ensure user trust.
Over half of the top 400 e-commerce sites use EV, according to 2019 data from Comscore and Netcraft. They have found that switching from OV to EV certificates increases online transactions and improves customer confidence.
However, EVs are not just for ecommerce: these certificates give your brand the highest level of assurance and validation to ensure users know exactly where—and to whom—encrypted data is being sent. That is why EV is the global industry standard for encrypting highly sensitive data. EV certificates are used for account area logins, front-facing webpages and other sensitive areas.
Also, it is extremely difficult to impersonate an EV-enabled site. Websites using EV certificates have virtually zero incidents of identity-spoofing attacks. Often, spoofed TLS certificates are used on a website that is linked in a phishing attack to make the site seem legitimate.
A recent report highlighted this risk, when attackers imitated a popular cryptocurrency website, even getting a legitimate DV certificate for their fraudulent site that mimicked the EV certificate for the real site. They used this fake site to steal bitcoins. This is significant as large amounts of money can be lost due to phishing attacks, with more than S$7 million lost just in 2020 in Singapore. Phishing attacks account for more than 80 percent of reported security incidents globally.
Below is an example of an EV certificate in Chrome (see examples of what EV certificates look like in each browser). Note that an EV certificate in Chrome will say “Certificate Valid, Issued to: Name of Company (US)”. If you want more details, you can click on “Certificate” for more information.
Do you need Extended Validation?
Extended Validation goes beyond security. It has become the baseline for any site that wishes to boost security, reputation and trust with clients, offers the highest level of protection in this regard.
EV also provides stronger internal security controls, as it allows an organization to set in place strict rules of their CA before any certificate can be issued, including who within the organization may issue a certificate.