Shorter certificate cycles shouldn’t mean ignoring extended validation
In terms of the buzz on browsers, the impending removal of tracking cookies dominated the headlines. Chrome, for example, announced that it remove support for third-party cookies in favor of privacy-preserving application programming interfaces (APIs) that prevent one-to-one tracking while delivering results for advertisers and publishers.
However, another even more potentially impactful development is slipping under the radar: a move to speed up the SSL (Secure Sockets Layer) certification cycle, reduce the validity periods to around 13 months to allow for a one-year period, then a one-month grace period for renewal.
The intention is to enhance security, considering that shorter term certificates will lead to shorter key lifespans and, therefore, a shorter lifespan for compromised keys which can expose websites to hackers. This acceleration would also require an annual update of website owner information, such as company names, addresses and domains, which would increase user confidence.
However, it will also put pressure on big brands (as well as smaller, lesser-known brands) to update their certificates more quickly and consistently, which could lead to the extinction of extended validation. (EV).
So why should we care? Because there are three types of SSL certificates, and each results in different levels of security (or lack thereof):
Domain validation (DV): This just covers basic encryption and verification of the owner of the domain name registration.
Organization validation (OV): It does what DV does while also authenticating some owner details like name and address.
Extended validation (EV): This is the highest level of validation, requiring extensive examination to document the legal, physical and operational existence of the owner of the domain name registration. This proves that the company behind the website is its true owner and comes with a signature for a certification authority key.
The rush to certify
While it’s understandable that the pandemic has sparked a new sense of urgency to present digital brands as trustworthy, the rush to certify could do more harm than good. The EV process can take up to a week, while businesses can complete the DV process in hours or even minutes. If they choose the latter because of the time factor, they sacrifice trust; users will not know with absolute certainty that they have landed on a legitimate website.
All DV proves is that an entity owns the domain name, but that entity could very well be a hacker posing as a popular consumer brand. How will shoppers distinguish between legitimate e-commerce sites and malicious ones? If DV is the only option, then they won’t.
So how does an organization balance the “need for speed” here and an ongoing commitment to the safest validations? Here are three recommendations:
Plan ahead. To properly manage certificate portfolios, companies need to anticipate expiration dates. Typically, verification authorities have to go through key processes and conduct ‘reminders’ to owners after consulting them, which has become increasingly difficult in the post-pandemic era. Thus, owners / brands should add a month to the process to allow sufficient time for the authority to research them.
To be coherent. When requesting a new certificate, owner organizations should review the details of previous certificates submitted to ensure consistency. If ten different details are presented in ten different ways, for example, it will confuse the CA examining the information and possibly delay approval.
Stay the course. Mariners are committed to continuing to find ways to create the fastest, easiest browsing experience for consumers. While brands will be forced to consistently update their certificates faster, they should not resort to the “fastest” option. Stay the course and adhere to the most proven certification methods.
Businesses need to understand that in addition to getting an SSL certificate quickly, they need to build consumer trust. People trust the companies they know: financial institutions, large retailers, government entities facing the public. These trusted brands are also the companies attackers and phishing scammers target the most because of their high website traffic. If businesses are forced to go for the shorter validation certificate, security is sacrificed and consumers won’t know which websites to trust.
The result : DV, OV and EV come with a padlock in the corner and the OV certification process today is much more transparent with automation. However, it is possible that the DV and OV padlocks could be spoofed, leaving EV as the only true padlock that consumers can trust to buy with confidence. The most senior decision-makers in a company are also the custodians of the brand. It’s up to these people to allocate the appropriate time, attention, and resources to their domain ecosystem so that their consumers’ trust never falters. They say hard work pays off. Now is not the time to find shortcuts. It’s time to work hard, even if it means sticking to the most proven certification methods.