The number of deployed Extended Validation (EV) SSL certificates has increased, with new measures by browsers to promote “secure” websites.
Speaking at the DigiCert Security Summit in San Diego, DigiCert senior director of business development, Dean Coclin, said that EV certificates are still important, but acknowledged that there is a need for more education around them.
One idea he discussed was to create a whitelist of sources that use an EV certificate, and allow all certificate authorities (CAs) to access the whitelist to improve validation. Another was to establish a minimum amount of time it could take to allow an EV certificate to be issued, but Coclin acknowledged that this was not popular as it may affect new companies who want an EV cert for their domain.
Another idea was to add “validated trademarks” into the certificate as they are recognizable and distinguishable, “and if we put these into the certificates, people would have an extra way of validating that the certificate is authentic.” These will have been validated by the CA, using a standard set of validations and rules.
The last option is to add a requirement that the CA checks the record to see what sort of certificate should be issued for a domain. “If you say you don’t want an EV certificate to be issued for a domain, and someone in a different location tries to issue a certificate, the CA could look at the record and see that they cannot issue one for that domain.”
Looking at the number of TLS certificates issues, Coclin said that around 78 million trusted web certificates are on websites globally, an increase by almost two million since last month, and DigiCert has issued 13 million since the beginning of the year.
For the individual certificates, Coclin said DigiCert had issued 27.4% of the domain validation (DV) certificates (the most was by Lets Encrypt with 49.7%), while DigiCert had issued 59.7% of the EV certificates and 96% of the organization validation (OV) certificates.
Pointing out that the number of TLS certificates had increased in recent years, Coclin said that this was about the move by browsers to highlight those websites not using HTTPS. “No website wants their domain to be seen as not secure, so certificates have increased,” he said.
The next step will be a red line through the address bar to show that a site is not secure, after that there will be an intermediate page saying that the page is not secure with a question of “do you really want to go to it?” The next step will be the same intermediate page saying “the following web page is not secure.”
He added: “Now who wants a website that you cannot get to? That should take us to 100% encryption on the web.”
Looking forward, Coclin predicted that the number of TLS certificates will increase, as well as Verified Mark Certificates in email as DMARC is further deployed. “EV is not going away, it has moved, but I think it is going to change again – maybe for the better or worse – but there are discussions going on and improvements being made, and we’ll see where that goes,” he concluded.
“We used to tell people ‘look for the lock’ but you cannot just do that anymore, as hackers know that is what we were told as they are getting free DV certificates and putting them on their sites and getting verified for 24-48 hours.”