Wednesday, 13 July 2011

Extended Validation EV SSL Certificates – Should Your Website Have One?

Extended Validation EV SSL certificates are the latest secure certificates that offer the highest level of “outward” security to the end user. Introduced in 2007, these new SSL certificates cause the address bar to turn green in a visitor’s web browser, and also to display the company name. Here are two examples of this in Firefox and Internet Explorer:

Internet Explorer:-

EV certs have a more thorough application process, as each business is “vetted” prior to being issued an EV certificate. This means that organizations that have an EV SSL certificate are much more likely to be legitimate entities, as opposed to standard SSL certificates, that may be obtained by anyone without any verification.
Is it worth it to have an EV SSL Certificate? I believe the answer is YES!

EV Usage for the Top 100 Retail Websites

I took a detailed look at Internet Retailer’s 2009 Top 100 Retail Websites, as I felt this was a good cross-section of large and medium sized ecommerce merchants. I recorded which sites had an EV cert., what SSL vendor they were using, and I looked for any warnings or errors on their secure pages.
* 20% of the Top 100 retailers are currently using an EV SSL Certificate.
* 17% of the Top 100 retailers had an insecure call / warning on either their secure sign-in or secure checkout pages. This resulted in either a browser warning or missing padlock in the browser.
And here is the breakdown of the SSL vendors in use by the Top 100 retailers:
Interpreting the data

What can we learn from the above statistics? In terms of EV SSL adoption, 20% of the top retailers are now using an EV SSL certificate. Although this may seem like a low number, other studies in 2007 and 2008 found around 2% adoption in 2007, and around 12% adoption in 2008 for major retailers. There is a slow progression towards more retailers using EV.

However, there are a number of reasons why larger retailers may not have an EV SSL cert.:
  • If you’re Amazon, people already trust you
Large retailers may not feel the need to add an extra layer of security, since they are a well known brand. If the padlock appears and no warnings pop up, people will purchase.
  • IT managers just renew what they have currently
Many IT departments simply make sure their SSL certificate does not expire. They renew it early, and keep it the same to keep it simple for them. The thought of obtaining a new type of SSL certificate may not cross their mind, or seem too daunting.
  • Too many hoops to jump through
In larger organizations, there are established procedures for the handling of existing SSL certificates. In order to get an EV certificate, the IT department has to get access to incorporation documents, DUNS numbers, etc… and probably needs to submit a proposal up the chain for approving this change. It may just be too much work for little return in their eyes (which I feel is a mistake).
  • They don’t see the need
Consumers have not yet fully caught on to how EV certificates work, and not all older browsers support EV in terms of green bars and company names being displayed. These larger retailers may not see a large enough benefit to change their ways (again a mistake in my opinion).

Does the SSL vendor matter?

In looking at the top 100 retailers, Verisign was the most popular SSL vendor. This makes sense as they are seen as the leader, and worked hard with large retailers to establish partnerships. Akamai was the second most popular, which also makes sense as larger retailers often partner with Akamai as their content delivery network provider. Geotrust was next, and has a good reputation for business websites.
Technically speaking, all the major vendors offer the same level of security in terms of the certificate itself. All of the more recent web browsers fully support the major SSL vendors, so they all work the same. Brand name recognition does come into play if the website displays a security seal, as many consumers recognize names such as Verisign or Geotrust. And some seals are more visually appealing and look more professional (The GoDaddy seal is not a professional look in my opinion).

Does it matter? Yes. Industry leaders such as Verisign and Geotrust (which is actually owned by Verisign) have more brand name recognition, and can help with conversion rates for those shoppers on the fence when it comes to trusting a website before completing a purchase (assuming you prominently display the security seal). Additionally, Verisign and Geotrust are fully supported by older web browsers, which may still account for up to 5 to 10 percent of your visitors.

What about the errors?
When I found that 17% of the top 100 retailers had some sort of insecure call or security warning on their secure pages, I was quite shocked. I figured these large organizations would eliminate these sorts of problems on their websites. These are the types of errors that can cause buyers to not complete a purchase due to security concerns. People know that the secure padlock/key needs to be present to ensure a safe transaction.

Although a large well known company such as Walmart can survive a few lost sales, smaller merchants cannot afford to drive away sales with security warnings and missing padlocks. Here is where a small business can outperform a large online store: Make sure your secure pages are 100% secure so your customers feel safe shopping on your website.

To EV or not to EV, that is the question…
The skeptic might say:
80% of the top retailers do not use EV certs. EV certs costs more and it’s more difficult to get approved for one. Many consumers still do not understand the difference between a green address bar and the secure padlock.
All of the above is true. However, that does not mean you should skip an EV certificate. And here’s why:
  • Don’t follow the herd
Just because 80% of the top 100 are not using an EV SSL certificate does not mean it’s the right choice for your business. Their reasons for not having one (laziness, too much red tape, do not understand the technology, etc…) are most likely not the same as yours (e.g. the cost and time to get an EV cert. do not matter to them) , and are not in line with your goals. See this as an opportunity to offer more recognizable security to your customers. It can be a competitive advantage.
  • The green bar is continuing to become more recognized
As more consumers use Windows 7, IE 8, and Firefox, the green bar becomes more widely adopted. EV features are built into Internet Explorer 8 and Firefox, so more people are being exposed to this new technology. People are starting to notice the green bar and company name, and will equate that with a secure website.
  • EV certificates are harder to obtain
This is a good thing. A less than reputable site or scam website can easily get a regular SSL certificate. However, they would be hard pressed to pass the background checks for an EV certificate. If your website has an EV certificate, it shows your business to be on the “up and up” and you have something not everyone can purchase. It gives you a competitive advantage over those websites that do not have one.
The bottom line on EV
For a few more dollars and a little more paperwork, your website can offer the most secure certificate available today. If only a few shoppers recognize the added security and it helps them complete a purchase at your store, it will be worth it. And that is the worst case scenario. The more likely scenario is more consumers are aware of (and actively look for) the green bar to signal a truly secure connection, and put more trust in those websites that use EV SSL certificates in their store.

No comments:

Post a Comment