« Barracuda Networks is defending itself, the rest is spin | Main | Open source continuity: Solid is dead, will solidDb survive? »

Extended Validation SSL certificates not going anywhere, as predicted

February 27, 2008

According to Netcraft, there are around 4,500 web sites using Extended Validation (EV) SSL certificates, one year after this new type of certificate was introduced. At the same time, over 800,000 sites continue to use the old-style certificates. Embarassingly enough, even the certificate authorities themselves are not valuing the new technology, with some of their sites that were using EV SSL certificates a year ago reverting back to plain SSL certificates since.

This practically means the EV SSL certificates are dead. Admitedly, there is very little reason for web sites to deploy EV SSL certificates today, as the majority of users won't see any difference in their browsers. The new certificate type is supported in IE7 on Vista, with a manual update required  on Windows XP is required to enable the feature.  (Confusingly, the update didn't work for my Windows XP laptop, and I have no idea why.) Firefox, in version 2.x (the current version at the time of writing), treats EV SSL certificates as any other certificate, although version 3.x (which is around the corner) adds support. There is a very slight chance the support for EV SSL certificates in browsers will, in turn, raise interest in the technology, but I wouldn't hold my breath waiting for that to happen.

Not that it matters anyway. I wrote about EV SSL certificates last year, arguing that they are too little, too late. If we wanted to raise the level of security we should have simply mandated thorough verification of all new SSL certificates. We would have to wait for the current SSL certificates to expire, but we would eventually end up with an improved situation. With the current approach, a lot of people are going to put a lot of effort to achieve nothing: very few web site will choose to use EV SSL certificates and even fewer people will know the difference [PDF]. Phishing will continue to be a problem.

In addition to all this, EV SSL certificates are simply addressing the wrong problem. Internet needs trust, but identifying legal entities behind web site addresses is not going to help with that.  I do not need to know the identity of whoever is on the other end of the connection. What I really care about is knowing if it is safe to place the order, and this I already know how to determine with a reasonable amount of certainty: I am going to base my decision on the reputation of the merchant. In real life, I am unlikely to make a significant purchase in a seedy part of the town. Equally, online, I am unlikely to make a significant purchase from a web site I've just come across. I am going to make the large majority of my purchases with a well-know retailer, for example Amazon.com.

People prefer to make incremental changes because they are easier to do, but large problems are often too big for a series of small improvements, and require radical actions to solve.