Only 1 Percent of SSL-Secured Sites Use Extended Validation SSL

Two years after its rollout, the more secure Extended Validation Secure Sockets Layer (EV SSL) digital certificate for authenticating Websites and securing Web sessions is used on more than 11,000 Websites worldwide. But that's only 1 percent of the 1.03 million sites currently secured with SSL certificates, according to Netcraft.

Meanwhile, calls for EV SSL adoption have intensified amid concerns of new man-in-the-middle (MITM) attacks targeting newly discovered weaknesses in SSL, namely the MD5 encryption algorithm hack that allows the creation of forged CA and X.509 digital certificates, and the MITM attack demonstrated at Black Hat DC that basically makes users think they are visiting a secure Website when they are not.

SSL-secured sites with EV SSL display a green address bar when used with the latest versions of most major Web browsers. The green address bar bears the name of the Website's organization that owns the certificate, as well as the authority that issued it. EV SSL ensures that the site is legitimate, and that the session is encrypted and secured.

According to Netcraft's latest numbers on EV SSL adoption, today's main adopters are the world's most traveled Websites; more than one-fourth of SSL certificates in the top 1,000 sites use EV SSL. And most of the most popular browsers support it, so more than 70 percent of all Internet users are using EV SSL-ready browsers today, Netcraft says.

Tim Callan, vice president of product marketing for VeriSign, says the good news is that many of the major Websites in ecommerce now have EV SSL, including eBay, PayPal, Travelocity, and Schwab. "These are leaders...the adoption among flagship sites has been very good news for the visibility of the green bar, in general," he says. "We are in conversations with lots of businesses that plan to go EV SSL -- it's on their road maps."

EV SSL is considered a major defense against being duped into believing a phishing site is a legitimate one. But whether those enterprises that don't fall into the eBay-size category can afford the starting cost of $1,000 per year per server (not including volume and multiyear discounts) is unclear in the current financial climate. VeriSign's Callan says one major hurdle to EV SSL adoption in many enterprises is the disconnect between those who run the Web servers and those who handle customer satisfaction and sales issues.

"I was surprised at the level of disconnect," he says. "These two groups often don't know each other, and we at VeriSign end up bridging the two."

Another issue is that enterprises often have long road maps for their Websites. "They have plans for sites that extend for years into the future," Callan says.

Security experts like Dan Kaminsky recommend EV SSL as one solution for protecting against phishing and MITM-type attacks on Websites. The Internal Revenue Service, the International Telecommunications Union, and The Authentication and Online Trust Alliance all have endorsed EV SSL.

VeriSign currently provides about 75 percent of all EV SSL certificates worldwide, the company says. "I think every site that's asking for sensitive information should go to EV SSL right away," VeriSign's Callan says. "Do I wish it was [being adopted] faster? Absolutely. But in the real world, it takes time to get it migrated over."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message