Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:33 PM
Connect Directly

Only 1 Percent of SSL-Secured Sites Use Extended Validation SSL

Calls for widespread EV SSL implementation are on the rise as SSL threats increase

Two years after its rollout, the more secure Extended Validation Secure Sockets Layer (EV SSL) digital certificate for authenticating Websites and securing Web sessions is used on more than 11,000 Websites worldwide. But that's only 1 percent of the 1.03 million sites currently secured with SSL certificates, according to Netcraft.

Meanwhile, calls for EV SSL adoption have intensified amid concerns of new man-in-the-middle (MITM) attacks targeting newly discovered weaknesses in SSL, namely the MD5 encryption algorithm hack that allows the creation of forged CA and X.509 digital certificates, and the MITM attack demonstrated at Black Hat DC that basically makes users think they are visiting a secure Website when they are not.

SSL-secured sites with EV SSL display a green address bar when used with the latest versions of most major Web browsers. The green address bar bears the name of the Website's organization that owns the certificate, as well as the authority that issued it. EV SSL ensures that the site is legitimate, and that the session is encrypted and secured.

According to Netcraft's latest numbers on EV SSL adoption, today's main adopters are the world's most traveled Websites; more than one-fourth of SSL certificates in the top 1,000 sites use EV SSL. And most of the most popular browsers support it, so more than 70 percent of all Internet users are using EV SSL-ready browsers today, Netcraft says.

Tim Callan, vice president of product marketing for VeriSign, says the good news is that many of the major Websites in ecommerce now have EV SSL, including eBay, PayPal, Travelocity, and Schwab. "These are leaders...the adoption among flagship sites has been very good news for the visibility of the green bar, in general," he says. "We are in conversations with lots of businesses that plan to go EV SSL -- it's on their road maps."

EV SSL is considered a major defense against being duped into believing a phishing site is a legitimate one. But whether those enterprises that don't fall into the eBay-size category can afford the starting cost of $1,000 per year per server (not including volume and multiyear discounts) is unclear in the current financial climate. VeriSign's Callan says one major hurdle to EV SSL adoption in many enterprises is the disconnect between those who run the Web servers and those who handle customer satisfaction and sales issues.

"I was surprised at the level of disconnect," he says. "These two groups often don't know each other, and we at VeriSign end up bridging the two."

Another issue is that enterprises often have long road maps for their Websites. "They have plans for sites that extend for years into the future," Callan says.

Security experts like Dan Kaminsky recommend EV SSL as one solution for protecting against phishing and MITM-type attacks on Websites. The Internal Revenue Service, the International Telecommunications Union, and The Authentication and Online Trust Alliance all have endorsed EV SSL.

VeriSign currently provides about 75 percent of all EV SSL certificates worldwide, the company says. "I think every site that's asking for sensitive information should go to EV SSL right away," VeriSign's Callan says. "Do I wish it was [being adopted] faster? Absolutely. But in the real world, it takes time to get it migrated over."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
US Counterintelligence Director & Fmr. Europol Leader Talk Election Security
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-20
The Transaction Insight reporting component of TIBCO Software Inc.'s TIBCO Foresight Archive and Retrieval System, TIBCO Foresight Archive and Retrieval System Healthcare Edition, TIBCO Foresight Operational Monitor, TIBCO Foresight Operational Monitor Healthcare Edition, TIBCO Foresight Transaction...
PUBLISHED: 2020-10-20
The Boxstarter installer before version 2.13.0 configures C:\ProgramData\Boxstarter to be in the system-wide PATH environment variable. However, this directory is writable by normal, unprivileged users. To exploit the vulnerability, place a DLL in this directory that a privileged service is looking ...
PUBLISHED: 2020-10-20
In Spree before versions 3.7.11, 4.0.4, or 4.1.11, expired user tokens could be used to access Storefront API v2 endpoints. The issue is patched in versions 3.7.11, 4.0.4 and 4.1.11. A workaround without upgrading is described in the linked advisory.
PUBLISHED: 2020-10-20
DomainMOD before 4.14.0 uses MD5 without a salt for password storage.
PUBLISHED: 2020-10-20
Netwrix Account Lockout Examiner before 5.1 allows remote attackers to capture the Net-NTLMv1/v2 authentication challenge hash of the Domain Administrator (that is configured within the product in its installation state) by generating a single Kerberos Pre-Authentication Failed (ID 4771) event on a ...