If your customers do business with you over the Internet, you need to get an evSSL certificate.
By now, you may have heard your IT leadership talking about evSSL. Although it's relatively new, this technology has become indispensable to any business transferring sensitive customer information online. But it's not a magic cure-all. Here's a quick explanation of how it works, and what its limitations are – so you can make better decisions about its application.
Here are the facts:
Does evSSL make you and your customers completely secure? No.
Is it a step forward? Yes.
Will your customers expect it? Yes.
To explain, first an SSL primer:
SSL stands for Secure Sockets Layer. SSL is a way to encrypt a web browser session between you and a company's website. To use SSL, a company will buy what is called a SSL certificate from a special type of company called a certificate authority, or CA (i.e. Equifax, Verisign, etc). When you access a website protected by SSL, all of the information you send will be encrypted.
How does SSL help protect you? Suppose you want to buy something from bobshobbyshop.com. If Bob is using SSL, you can be sure that no Internet crooks can eavesdrop and steal your credit card number before it gets to Bob. How do I know if Bob is using SSL? Web browsers will show you a padlock icon if SSL is being used, and you may see 'https://' in the URL bar of the browser.
So now that you know a little about SSL, you probably think that it makes you secure, right? I see a padlock, doesn't that mean I'm safe? Unfortunately, no. All the padlock tells you is that your data is encrypted. Two bad things may still happen: thieves may have setup a fake storefront and impersonated Bob (i.e. you got phished), or Bob himself may be a crook.
evSSL to the rescue! evSSL stands for Extended Validation SSL. One problem with ordinary SSL certificates is that almost anyone can get them with virtually no verification. That is how thieves can setup a fake storefront for Bob, and use SSL padlock to fool you. evSSL fixes this problem by establishing a rigorous verification procedure to obtain an evSSL certificate. So only Bob's Hobby Shop, Inc. will be able to get an evSSL certificate for bobshobbyshop.com. And the verification procedures are extra rigorous for high risk organizations, like banks.
How will I know if Bob has an evSSL certificate? Right now, you can only easily tell if you are using Internet Explorer 7 (other browsers will add evSSL features in the coming months). IE7 will change the website location bar to have a green background. Ordinary SSL certificates will still show with a white background as they always have. If you have IE7, you can see this for yourself by going to the Paypal website at https://www.paypal.com. If you haven't upgraded to IE7, take a look at the Microsoft IE7 evSSL green bar example.
So with evSSL I am safe, right? Green means go, right? Well, sort of. evSSL solves the identity problem, so if you go to bobshobbyshop.com you know that you are talking to Bob. But there are still other problems:
In a nutshell, green doesn't really mean go.
Now that you understand what evSSL does and does not give you, let's talk about what it means for your business. If your customers do business with you over the Internet, you need to get an evSSL certificate. Let me repeat that again: If your customers do business with you over the Internet, you need to get an evSSL certificate.
Right or wrong, people will feel better when they see the green bar, and they will begin to expect it. If you don't give them the green bar, your competitors will. In the words of Gartner analyst Avivah Litan, "are people going to trust the green more than white? Yes, they will. All the business is going to go to the greens, it's kind of obvious."
Faced with an IT quandary? Want the latest buzzword explained or just need to know how a technology works? Send me a line: This email address is being protected from spambots. You need JavaScript enabled to view it.
By now, you may have heard your IT leadership talking about evSSL. Although it's relatively new, this technology has become indispensable to any business transferring sensitive customer information online. But it's not a magic cure-all. Here's a quick explanation of how it works, and what its limitations are – so you can make better decisions about its application.
Here are the facts:
Does evSSL make you and your customers completely secure? No.
Is it a step forward? Yes.
Will your customers expect it? Yes.
To explain, first an SSL primer:
SSL stands for Secure Sockets Layer. SSL is a way to encrypt a web browser session between you and a company's website. To use SSL, a company will buy what is called a SSL certificate from a special type of company called a certificate authority, or CA (i.e. Equifax, Verisign, etc). When you access a website protected by SSL, all of the information you send will be encrypted.
How does SSL help protect you? Suppose you want to buy something from bobshobbyshop.com. If Bob is using SSL, you can be sure that no Internet crooks can eavesdrop and steal your credit card number before it gets to Bob. How do I know if Bob is using SSL? Web browsers will show you a padlock icon if SSL is being used, and you may see 'https://' in the URL bar of the browser.
So now that you know a little about SSL, you probably think that it makes you secure, right? I see a padlock, doesn't that mean I'm safe? Unfortunately, no. All the padlock tells you is that your data is encrypted. Two bad things may still happen: thieves may have setup a fake storefront and impersonated Bob (i.e. you got phished), or Bob himself may be a crook.
evSSL to the rescue! evSSL stands for Extended Validation SSL. One problem with ordinary SSL certificates is that almost anyone can get them with virtually no verification. That is how thieves can setup a fake storefront for Bob, and use SSL padlock to fool you. evSSL fixes this problem by establishing a rigorous verification procedure to obtain an evSSL certificate. So only Bob's Hobby Shop, Inc. will be able to get an evSSL certificate for bobshobbyshop.com. And the verification procedures are extra rigorous for high risk organizations, like banks.
How will I know if Bob has an evSSL certificate? Right now, you can only easily tell if you are using Internet Explorer 7 (other browsers will add evSSL features in the coming months). IE7 will change the website location bar to have a green background. Ordinary SSL certificates will still show with a white background as they always have. If you have IE7, you can see this for yourself by going to the Paypal website at https://www.paypal.com. If you haven't upgraded to IE7, take a look at the Microsoft IE7 evSSL green bar example.
So with evSSL I am safe, right? Green means go, right? Well, sort of. evSSL solves the identity problem, so if you go to bobshobbyshop.com you know that you are talking to Bob. But there are still other problems:
- Bob himself may still be a crook
- evSSL identity verification procedures will work well in countries with strong commercial practices and oversight, like the US and UK. It can likely be circumvented in countries without strong commercial practices and oversight, like eastern Europe.
- There are other shortcomings of evSSL, too many to list here. I'll provide some useful links to these in the 'Quick Links' section of the newsletter.
In a nutshell, green doesn't really mean go.
Now that you understand what evSSL does and does not give you, let's talk about what it means for your business. If your customers do business with you over the Internet, you need to get an evSSL certificate. Let me repeat that again: If your customers do business with you over the Internet, you need to get an evSSL certificate.
Right or wrong, people will feel better when they see the green bar, and they will begin to expect it. If you don't give them the green bar, your competitors will. In the words of Gartner analyst Avivah Litan, "are people going to trust the green more than white? Yes, they will. All the business is going to go to the greens, it's kind of obvious."
Faced with an IT quandary? Want the latest buzzword explained or just need to know how a technology works? Send me a line: This email address is being protected from spambots. You need JavaScript enabled to view it.