In a recent conversation with a colleague on SSL and how it worked, it occurred to me that I really had no idea what extended verification certificates actually did, other than turn the address bar green and display the company name. What was the “extended verification” that made EV certs better than normal certs? In a normal SSL connection the client can do a reverse lookup based off of the cert to verify the host, but DNS poisoning would obviously render this worthless. Do EV Certs have some magic in their “extended verification” that addresses this shortcoming?

In a word, no. There is no technical advancement in the EV cert. There is no technology that makes the EV certificate a better option than a normal cert, that works around the weakness of the regular cert in verifying hosts. What the EV means is that the cert authority no longer does a half-assed job verifying that they are issuing a certificate for a particular company to that company. They do a bit more background checking so that they can attest that the company listed in the cert is really the same company requesting it. It is brilliant marketing, as you are paying double to three times the cost of a normal cert just to turn the address bar green and to get the CA to actually do some checking on who requests a cert.

The thing is, despite the fact that there is no technological benefit of this, and the fact that current cert prices should have already included verifying the requester, that stupid green address bar is probably worth the money just to increase customer confidence. But go ahead and be bitter about it, since that shade of green is going to cost you another grand for each certificate. Man is Verisign brilliantly evil in their product ideas, right up there with the guy who conned children into buying pet rocks.

~ Joshbw