134. Online Security with
EV SSL Certificates
By Andrew D. Wright
It used to be so easy. If you were on a web page and saw the little
padlock in the web browser, you were safe on an encrypted web page.
These days, it's not so easy but a new security initiative called EV SSL
is trying to improve things. EV stands for Extended Validation and SSL, or
Secure Sockets Layer, is the Internet standard way of encrypting data over
a network.
On a secure website with a valid EV SSL certificate using a supported web
browser the address window will have a green background and say with whom
you are connecting securely.
Internet Explorer 7 on Windows Vista supports EV SSL by default. On
Windows XP, Internet Explorer 7 supports EV SSL if you either have
Automatic Website Checking turned on (under Tools - Phishing Filter) or if
you have the "Check for server certificate revocation" checkbox checked
under Tools - Internet Options - Advanced - Security.
EV SSL is supported by default in the new Firefox 3 web browser, due out
June 17, 2008, and in the new Opera 9.5 web browser, released on June 12,
2008.
This is what the green address bar on an EV SSL website looks like in the
(top to bottom) Internet Explorer 7, Firefox 3 and Opera 9.5 web browsers:
(Click for larger version)
![[Graphic: EV SSL with Internet Explorer 7]](img/2008/ev-ssl-ie-sm.jpg "EV SSL with Internet Explorer 7")
![[Graphic: EV SSL with Mozilla Firefox 3]](img/2008/ev-ssl-firefox-sm.jpg "EV SSL with Mozilla Firefox 3")
![[Graphic: EV SSL with Opera 9.5]](img/2008/ev-ssl-opera-sm.jpg "EV SSL with Opera 9.5")
To have a secure page, a website has to purchase an SSL certificate from a
Certificate Authority (CA). This is a key used to scramble the data sent
to and from a web browser. The key is unique to that website so no one
else can open the data. To get that key, the website had to prove their
identity to the Certificate Authority.
As time went on, more Certificate Authorities were created and some didn't
check website credentials very well. So now a regular secure certificate
just means that the connection to the website is scrambled but it can be
less reliable for verifying the identity of the website.
This is why the EV SSL certificate was created. There are agreed-upon
standards for confirming the identity of every EV SSL certificate holder
so if EV SSL says that a website belongs to someone, the Certificate
Authority has proof to back that up. In other words, not only is the
connection scrambled, you can also be confident the website belongs to
whom it says it belongs.
Both SSL and EV SSL certificates mean that your data is being sent over
the Internet in a way that no one else can intercept and read. By clicking
on the padlock icon on your web browser you can check who the secure
certificate was issued to and what Certificate Authority issued it.
What these certificates don't do is prove that what is on either end of
the secure connection is safe. A Chebucto Community Net volunteer once
said that SSL was like someone living in a cardboard box using a
well-guarded armored truck to send something to someone else living in a
cardboard box. Their point was security is only as good as the weakest
link in the chain.
It is a good idea to check the privacy policy of the group you are sending
information to and how they handle sensitive information.
On your side of things, your home computer should be free of viruses,
trojans, spyware, keyloggers or other malware. It should be up-to-date
with any Operating System updates and should have anti-virus and
anti-malware protection.
Users running Windows computers who want to be extra careful may want to
get an Ubuntu Linux CD and boot their computer up with it to do any online
transactions. This would be protection against everything except a
hardware key-logging device physically attached to the computer.
Check if your browser supports EV SSL here
(Internet Explorer 7, Firefox 3, Opera 9.5):
https://www.chebucto.ns.ca/Services/Registration/
Ubuntu boot CD (free):
http://www.ubuntu.com/
The Mousepad runs every two weeks. It's a service of Chebucto Community
Net, a community-owned Internet provider. If you have a question about
computing, email mousepad@chebucto.ns.ca or
click here. If we use your question
in a column, we'll send you a free mousepad.
Originally published 13 June 2008
