Many websites have enabled the Transport Layer Security Protocol (a requirement of the CA/B forum) in order to provide their customers with trusted and secure communications with their internet service. Of those that do, many use Domain Validated (DV) certificates to meet basic browser requirements, without considering Organization Validation (OV) and Extended Validation (EV) certificates that offer the browser user the benefit of higher assurance in terms of trusting the web service they are accessing. It makes a lot of difference if an organization goes the extra mile to provide customers confidence in the authenticity of their web services rather than just ticking the box.

The CA/Browser Forum began in 2005 as part of an effort among certification authorities and browser software vendors to standardize cryptographic controls for web browsing. The purpose of these controls is to add security and trust to web browsing by securing data exchanges between the internet browser and website via an encrypted connection, as well as to provide the browser user with assurance regarding the identity of the web service being accessed.

The security protocol that provides this is known as Transport Layer Security (TLS), which is a newer and more secure version of the former Secure Socket Layer (SSL) protocol. The TLS protocol is enabled by TLS digital certificates that are produced by Certificate Authorities (CAs). These digital certificates and the CA that signed them are cryptographically linked to a Root Certificate Authority (RCA) certificate that has been embedded into the browser products’ Trusted Root CA list as a ‘Trust Anchor’.

The associated web browser vendors implement these controls in their products. Where an uncompliant website is accessed, the browsers provide ‘untrusted’ error messages to the browser user.

There are 3 types of TLS certificates that can be used by a website to enable the TLS protocol:

• Domain Validation (DV) Certificates
• Organization Validation (OV) Certificates
• Extended Validation (EV) Certificates

Whilst all 3 of them ensure the browser does not present the user with an untrusted message and enable the encrypted session between the browser and the website, there are differences in the level of trust assurance each provides to the browser user.

Domain Validation (DV) Certificates are by far the most commonly used type of TLS certificate. The reason for this is that they are the most economical and can sometimes even come at no cost at all. They ‘tick the box’ by ensuring the bare minimum trust requirements of the browsers are met. DV certificates only provide assurance that the website domain is registered and controlled by the requester, but that does not mean there is an association between the domain and the organization it represents (i.e. These certificates do not contain the organization name because the relationship between the requestor and organization is not validated in the DV process). Many phishing and smishing URLs leverage TLS to give users a false sense of security about website authenticity. Threat actors using these techniques are more likely to go for DV TLS certificates given the cost factor and the likelihood of the vetting process approving their application.

Organization Validation (OV) Certificates provide all the benefits of DV and more, however, they have an additional cost associated with more extensive efforts within the vetting process. They assure customers that the domain they are accessing is owned by your organization, so there is a level of credibility associated with your service.

Extended Validation (EV) Certificates provide the highest level of trust assurance, via more stringent validation processes, and are therefore the most expensive. Having the EV TLS certificate is the web's way to indicate to anyone who visits your site that you are who you say you are. It confirms that you're trustworthy and willing to take the necessary steps to prove it.

To summarize,

• Without TLS, customers cannot trust the authenticity of your website. There is no security or privacy in data exchanges between their browser and your web service, potentially leading to unauthorized access of your customers’ browsing behavior or data. Customers will also be greeted with ‘not trusted‘ error messages when accessing your website, which might damage your reputation.
• DV TLS certificates provide privacy and data security between the customer’s browser and your website, however, they do not provide information into whether or not your website can be trusted. Phishing and smishing attacks often use URLs that have DV TLS certificates. OV and EV TLS certificates both provide all the benefits of DV and more. They go beyond privacy and authentication, they are about trust. EV is the highest level of assurance that you can provide to customers, demonstrating that your organization is willing to invest so that customers can trust your Internet services.

Author:Aaron Carolan

Caption - Cybercriminals are always on the lookout to steal critical information sent between users and web services. Read more on how you can add security to your website, ultimately building user confidence and improving your brand reputation.