Recently there's been a few articles1,2,3, as well as a couple of Slashdot discussions4,5, where some people claim that Extended Validation certificate will somehow make life more difficult for small businesses. Others, like Larry Seltzer are a bit more positive to the development.
As I've posted earlier6, Extended Validation certificates are certificates issued after the information they contain has been through extensive checks to verify that the certificate is not issued to the wrong website and its owner can readily be found. The certificate issuers are regularly audited to ensure they have good procedures when issuing such certificates.
Using additional information embedded in the certificate, the browsers will be able to recognize these certificates and change the UI (such as a green security toolbar or other distinguishing UI features) to reflect the extra quality of the certificate's information.
As I also mentioned, EV certificates do not and cannot vouch for the honesty and trustfulness of the website's owner, but the process of issuing them collects enough information that in the event there is a problem it should be relatively easy to contact or locate the owner.
The articles against EV make a few allegations about what the "problems" with Extended Validation are:
- Only incorporated companies will currently be able to get EV certificates, sole proprietorships cannot currently buy such certificates. Critics claim this will give the "big" companies an unfair advantage because they are able to get the green security toolbar.
- The EV certificates will be "much more" expensive than ordinary certificates, which is also supposed to give an unfair advantage to "big" companies.
- Small new companies that are eligible must meet stricter requirements than older established companies.
Let me answer these below:
Who can get EV certificates?
Currently, as defined in Draft 11 (PDF) of the EV guidelines (which Microsoft will base its support on for the time being) it is quite correct that only incorporated companies can buy EV certificates. The reason for this is that such a company's existence is (in many countries) much easier to verify because of the legal requirements for such companies than it is for companies organized as sole proprietorships.
An incorporated company must be registered with the government, and in many cases (such as Norway) certain requirements must be met, such as having an auditor and regular filing of results to the government. Such requirements make it easier to verify the company's legal and physical existence.
Sole proprietors (one person doing business alone) are not subject to such requirements, and there may or may not be any registration requirements with the local government. (In Norway, all businesses, even sole proprietors must register with the government, but requirements are lower for sole proprietors.) This variability makes it difficult to securely identify such a business as a legal entity.
Non-incorporated entities with banking facilities and the ability to handle e-commerce themselves are actually quite rare. Normally this is contracted to some third-party which is already incorporated, and many small/medium incorporated companies and even some larger ones will do this as well.
Nevertheless, the CA/Browser forum has no intention of letting this situation continue indefinitely, and is actively working to develop procedures that will permit sole proprietors and similar businesses to purchase EV certificates.
Price of EV certificates
The EV certificate routines specify a number of steps that the Certificate Authority must follow before issuing a certificate, as well as other requirements such as a yearly audit for compliance with the guidelines.
Many of these steps and requirements are not part of the current certificate issuing procedures, and each such step or requirment may carry some additional cost. This will, of course, increase the price of the certificate, but how much depends on the business model and cost-structure of the CA, as well as their own choice of price level.
One of the side effects of these extra verification steps is that somebody who wants to use an EV certificate for criminal purposes and somehow manages to get a certificate will have left so many details about themselves that it should be easier for the police to track them down.
While most of the current criminal activity on the net is done using unsecure sites, there have been an increasing number of cases where secure sites have been used, but those sites have used minimal validation certificates that only authenticate the name of the server, and do not
contain any information about the owner.
As users become more careful about where they enter information, criminals will try to get certificates for their phishing sites. EV certificates are also intended to raise the bar to make it more difficult to impersonate websites, and thus head off this development before it becomes a serious problem.
As a side effect, the increased effort required to obtain EV certificates should deter some lazy criminals currently profiting from the unsecure habits some sites have instilled in users.
Stricter requirements for small and new companies
Larger companies naturally have a much larger footprint in economical databases than smaller and newer companies. This means that their existence will be easier to verify than smaller companies.
This will not prevent small/new companies from getting an EV certificate, but it may mean that these companies will have to use slightly more time to provide details to the CA than the bigger companies.
This is unfortunate for a small legitimate business, but it is the basic cost of being able to secure the web for consumers.
However, in many cases small and new businesses will contract payment processing to a third-party, which in most cases is the part of the service that would be secured using an EV certificate. I'll write more about this below.
"The cost of EV certificates is unfair to small businesses"
Yes, big companies may not need to worry about cost to the same degree as smaller companies.
This is simply a recognition of the world in general.
Which businesses/activities really need an EV Certificate?
Generally I'd say that the following areas really need an EV certificate
- Payment services, all websites where you enter credit card, name and shipping details in combination should have an EV certificate.
- Web services handling sensitive data. For example netbanking, insurance sites, and government sites managing personal data. As sensitive data I consider name, address and Social security numbers and other personally sensitive data, in particular when parts of
the information can be used to impersonate the individual.
Both of the above types of services are the kind of applications that should be handled by professionals. Even big companies or government agencies doing the job "inhouse" should tread carefully, because it is far too easy to leave a hole in the system, as has been seen too many times recently (also among the professionals).
For small online shops I recommend that you do not try to implement the payment system yourself (and you probably should not try to create the webshop yourself either). There are several reasons for this:
- Security: It is very easy to let something dangerous slip into the system.
- Performance: Shopping systems created by professional developers and hosted on dedicated enterprise hardware are likely to be more efficient than your own (no offense intended).
- Economy: A third-party shopping system that does what you want probably already exists. Why should you spend time and money better spent improving your business, trying to reinvent the wheel? (Don't get me wrong, if you really have a system that works as well as, or better than, what is already out there, you should definitely start a new business selling your system.)
A couple of the articles mentioned above use as examples a couple of small business entrepreneurs that are worried about the effect of EV certificates on their business.
One of them, a sole proprietor, is (as pointed out by an IE Blog entry) already using two major third-party systems for payment and shopping, both of which are very likely to be eligible for an EV certificate, meaning that her checkout pages will get the green "light" without any action on her part.
The second one, which is incorporated, but not currently having any online business, is eligible for an EV certificate according to the current guidelines and should be able to get an EV certificate if she truly needs it. However, I think she can spend her money and resources better by using a third-party to manage the webshop and the payment services. Such third-parties should also be able to get an EV certificate, and can also spread the cost across far more transactions than the small business can.
So, how will EV certificates affect small business?
EV certificates were not created to hamper small business, and I think most small businesses will either be relatively unaffected by EV certificates, or gain by it if they are using third-party services that are eligible for EV certificates. While most secure websites do not need an EV certificate, if a business does need to have a EV certificate for their own service its business will in most cases be profitable enough that the extra cost isn't insurmountable.
Overall, while the EV certificate isn't a silver bullet, it will help to increase trust on the Internet, and in the long run this will be a major benefit for small businesses on the Internet.