Why Even Bother with Extended Validation Certificates?
Not all sites use Extended Validation certificates. Though it is good to keep current on-browser patches – the only true protection is user behavior.
19 May 2014
We’re all aware of experts’ security advice: “Make sure you open e-mail only from trusted sources” or “Make sure you check the site URL before you click and visit”. Unfortunately, there is no easy way to ensure your organization will follow these wise suggestions. Nowadays, nearly everything can be spoofed, and it is even possible to impersonate a legitimate site by forging SSL certificates in man-in-the-middle attacks.
Can Extended Validation certificates be useful here? Extended Validation (EV) certificates, which operate similarly to conventional SSL certificates, do not add to the transport layer security. EV certificates simply confirm to the end user that the issuing authority has verified that people buying the certificate are actually the people who run the site connections to which it is supposed to protect.
Were you able to check that the SSL certificate was actually issued for the site you are visiting (i.e. were you able to verify the extended validation (EV) certificate)? You, as a user, might care less about those scary sounding bugs - 15 or so fixed in Version 29 of FireFox or the latest Internet Explorer find
Unfortunately, not all sites use EV certificates. So what can you do instead? Though it is a good idea to keep current on-browser patches in case of a truly catastrophic issue is discovered – the only true protection is user behavior. Here are a few simple best practices to ensure you are browsing as securely as possible:
- Use new sessions for browsing – Try to use a new session for browsing(for IE it is under File/New Session), so that if you stumble upon a malicious website there’s no chance for the bad guys to snap up your sessions, IDs, passwords or any other information of value. Opening new tabs and new windows keeps existing cookies visible to new sites you visit.
- Be reasonable when browsing – When you are searching for a product or a service, if you come across a deal too good to be true, it’s usually a trap. That brand new Lexus for $5,000.00? Don’t look at the vehicle condition and don’t play the video to see how great it is.
- Keep an eye on the SSL indicator – Make sure you watch the SSL indicator, that little lock in the corner that tells you the communications are encrypted. Better yet – check the EV certificate. This means that the issuer has verified that the certificate goes to your bank and not to the hacker buying the certificate for the bank.
- Avoid back alleys – Always avoid back alleys - internet back alleys, in this case, so that the next security fix will not be as important to you.
A combination of technical measures (such as EV certificates) and prudent behavior that complement one another, will be much more likely to keep you browsing safely than relying on software vendors to produce secure browsers.
Good luck out there. You’re going to need it.
Mushegh Hakhinian represents Intralinks at the Cloud Security Alliance SME Council, is a certified information systems security professional, and is a frequent contributor to industry publications. Prior to joining Intralinks, Mr. Hakhinian lead security functions at a multi-tenant online banking service provider and an international bank.