The Slow Death of EV Certificates

In this lesson, we'll learn what EV certificates are and why they aren't necessary.

Introduction

More than once in my career I’ve been asked to provision an EV certificate for web applications, and every single time I managed to get out of it, not because of laziness, but because of the security implications of these certificates. In short, they don’t have any influence on security and cost a lot of money. Let’s learn what EV certificates are and why you don’t need to use one.

What are Extended Validation certificates?

Extended Validation certificates (EV) are a type of SSL certificate that aim to increase the users’ security by performing additional verification before the issuance of the certificate. This additional level of scrutiny should, on paper, allow CAs to prevent bad actors from obtaining SSL certificates to be used for malicious purposes, a truly remarkable feat if it worked that way. There were some egregious cases instead, like the one where a researcher named Ian Carrol was able to obtain an EV certificate for an entity named “Stripe, inc” from a CA. Long story short, CAs are not able to guarantee an increased level of security for EV certificates.

They made for pretty UI

If you’re wondering why EV certificates are still used, let me give you a quick answer, under the false assumption of added security, EV certificates used to have a special UI in browsers, sort of a vanity feature CAs would charge an exorbitant amount of money for (in some cases more than $1,000 for a single-domain EV certificate). This is how an EV certificate would show up in the user’s browser:

Get hands-on with 1200+ tech skills courses.