Comodo SSL Certificate FAQ - EV SSL & HTTPS
Extended Validation (EV) SSL Certificates are the next generation SSL Certificate because they help protect against phishing attacks. They work with web browsers (e.g. Internet Explorer 7 and above, Firefox 3.0 and Opera 9.5) so that visitors to Websites with an EV SSL Certificate will see a "Green Address Bar". EV SSL Certificates represent a new industry standard for e-merchant identity verification developed by the CA/B Forum.
What are the benefits of EV SSL Certificates to Web site owners?
An EV SSL Certificate helps you gain competitive advantage by increasing trust in your Web site that translates into higher conversion rates and increased revenue.
Comodo's EV Enhancer™ enables the new "Green Address Bar" browser indicator for EV SSL Certificates to be backward compatible with Microsoft® Internet Explorer 7 and above on Windows™ XP by installing a trusted Comodo Root Certificate. It should be used by companies deploying EV SSL Certificates on web servers other than Apache or Microsoft® IIS. (If you are using Apache or Microsoft® IIS we recommend you use Comodo's EV AUTO-Enhancer™ described at the top of this page.
How does EV Enhancer™ work?
In order for the "Green Address Bar' to be displayed for a secure website in Microsoft® Internet Explorer 7 and above, the relevant Root Certificate must be present in the client's Trusted Root Certificate store and it must also have an EV Policy Object Identification (OID) associated with it. In Windows Vista, EV Policy OIDs are assigned automatically via the Automatic Root Update facility. However in Windows XP (the dominant Operating System in the market today), the Automatic Root Update facility is unable to assign EV Policy OIDs to "legacy" Root Certificates that are already present in the Microsoft Root Certificate Program. This behavior forces all Certificate Authorities to embed a new Root Certificate in the Microsoft Root Certificate Program that will have the applicable EV Policy OID assigned to it. The difficulty of installing the new root certificate on Windows XP is that new Root Certificates are distributed from Windows Update. Every week, Windows downloads a signed list of all roots in the root program. When Windows validates a certificate, Windows XP shows the following behavior:
- Windows XP first tries to build a chain using certificates from the TLS/SSL protocol, in addition to the local certificate stores;
- If Windows is unable to find a chain up to a self-signed certificate, Windows tries to download additional certificates using information in the certificate;
- If a chain up to a self-signed certificate can not be found, Windows tries to find a match in the signed list of roots retrieved from Windows Update. If a match is found, the Root Certificate is then downloaded and installed silently.
In most cases Windows XP will find a legacy Root Certificate (for Comodo this is UTN and AddTrust), which will mean that at least one trusted certificate chain will be found during phase one and no new EV root will be installed. Therefore, it is not possible to use the Root Update Mechanism provided by Microsoft. To solve this problem, the website must trigger an TLS / SSL connection to a HTTPS URL that points to a certificate that is not cross signed and does not refer to a legacy Root and returns only the End Entity and Issuing CA certificates. This method will force Windows XP to validate a certificate chain where it must download the new EV root.
The figure below shows the process in more detail:
- Consumer PC visits https://www.myEVsite.com and the web server returns the chain including the cross certificate to the user during TLS/SSL negotiation;
- The website contains an EV Enhancer™ script to https://ev-enhancer.comodo.com;
- The user makes a second TLS/SSL negotiation with ev.cadomain.com which returns a different End Entity certificate and no cross signed certificate;
- Windows XP validates End Entity B and is unable to build a chain to a known self-signed certificate.
Based on the above scenario, the user will not see the "Green Address Bar" in Internet Explorer 7 and above until the second time he visits the site. This can be improved to be a first time visit if the home page of the website is not a HTTPS URL and the EV Enhancer™ technology is activated from a page leading up to the HTTPS EV SSL trusted page. The EV Enhancer™ downloads and installs the EV Root from Windows Update before the user enters the SSL connection. This requires your website administrator to add a link to an HTTPS "beacon" site on each entry page of your website.
SGC is Server Gated Cryptography. It provides the ability for a certificate to 'up-rate' older browsers that are only capable of weak, 40-bit encryption to ultra-secure 128/256-bit encryption without the need to upgrade. It was introduced at a time when stringent United States encryption export laws would only allow browsers to encrypt 40-bit levels. Understandably, there are still millions of users that still use these older browsers. Websites wishing to offer the highest level of trust and 256-bit encrypted transactions to the widest possible customer base should consider EV SGC SSL Certificates.
Sure. Comodo can offer you a quick migration path from your existing High Assurance SSL Certificate to an EV SSL Certificate. After your reservation, you may have to submit additional documentation. The Comodo sales team will assist you throughout the process. So submit your contact information and we will contact you shortly. Alternatively, call US toll free: 1 888 266 6361 or from outside of the US: 1 703.581.6361.
Is my existing High Assurance SSL Certificate still sufficient for protecting online transactions?
Comodo SSL Certificate will continue to provide security encryption to ensure that data being transferred between your Web site and your customer's Web browser can not be stolen. In addition your current High Assurance SSL Certificate will continue to provide identity assurance for your Web site.
All Extended Validation Certificates undergo a new validation process that has been established by the industry group CA/B Forum. This vetting process ensures rigorous validation of both domain name and company details before issuance, in order to provide the highest levels of security and trust for your customers.
The EV SSL Certificate Validation Process
The goal of the validation process is to ensure that consumers have a way to authenticate legitimate sites from phishing sites. The increased trust and consumer protection offered by EV certificates necessarily involves a more rigorous validation process. This new procedure has been established by the industry group, CA/B Forum.
Some basic requirements that a business needs to conform to obtain an EV SSL certificate include (but are not limited to):
- Legal status as a company created by government filing
- Registration number of incorporation
- Place of business is in same jurisdiction (e.g. country) as place of business registration
- Organization name
- Business name
- Full address and main phone number of place of business
Not sure if your Business is incorporated? Click here to find out