Certification credited with boosting online confidence

Alliance promoting extended certificate validation for Web sites touts the benefits of online shopping survey and new rules by IRS for all 2009 e-filing sites.

Robert Vamosi Former Editor

As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.

See full bio

Robert Vamosi

Nov. 20, 2008 11:30 a.m. PT

2 min read

Extended certificate validation for Web sites has boosted online confidence in 2008, according to a statement released Thursday by the Authentication and Online Trust Alliance (AOTA).

This could help online consumers looking for sites to trust on Cyber Monday, the first shopping Monday after Thanksgiving when online purchases are at their peak.

Sites with Extended Validation Certificates (EV) added to Secure Socket Layers (SSL) encryption display their URLs in a green bar in the address field of compatible browsers. This signals to the user that there is increased scrutiny of the Web site. In Firefox 3, a user clicks the green bar to see additional certificate information. Same with Internet Explorer.

The idea here is that a trusted third-party certificate authority will vouch for the Web site beyond the minimal "domain validation only" in place today with traditional SSL certificates. EV SSL sites must establish a legal identity and a physical presence for the site owner, establish that the owner has exclusive control of the site, and confirm the identity of the owner.

A study last year by Tech Ed Research found that participants were more likely to click on a link with a green EV SSL link than sites with the paddle lock icon traditionally associated with SSL.

The AOTA also announced that starting in January 2009, the US Internal Revenue Service will require all authorized IRS e-file providers participating in online filing of individual income tax returns to have a valid and current EV SSL certificate. The IRS is also requiring e-file sites to publish privacy information and safeguard policies, to obtain a privacy seal signifying an IRS-approved service, and to report all security and privacy breaches directly to the IRS.

PayPal and eBay have both been early supporters of EV SSL. In April, PayPal announced it would block users who did not use an EV SSL-compatible browser on its site. In May, a researcher found a vulnerability with EV SSL that affected PayPal and other sites, a flaw that was quickly remedied.

Browsers supporting EV SSL include Microsoft's Internet Explorer 7, Internet Explorer 8, Safari 3.2, Firefox 3, Opera 9.5, and Google Chrome.