Mastodon

Journey to an extended validation certificate

Trust is a really difficult thing to define. Think about it in the web security context - how do you "trust" a site? Many people would argue that trust decisions are made on the familiarity you have with the brand, you know, brands like LinkedIn, Dropbox, Adobe... who've all had really serious data breaches. Others will look for the padlock in the address bar and imply by its presence that the site is trustworthy... without realising that it makes no guarantees about the security profile of the services sitting behind it. Then there's the security seals placed on the page and, well, just go and read clubbing seals if you're not already aware of just how fundamentally irrelevant (and even dangerous) they are.

But here's the thing: all of these go into that little processor in people's brains which helps them make a judgement decision on the trustworthiness of the site they're visiting. Rightly or wrongly, they matter.

The trick now is to look at which trust indicators actually make sense not just in the confidence they instil in people visiting a site, but in the actual security benefit they provide. For example, Ashley Madison choose to put a fake security award on their site which probably gave many people more confidence in them whilst setting out to have an illicit affair, but ultimately meant absolutely nothing. An extended validation certificate (EV cert), on the other hand, actually does mean something. I recently decided to get one for Have I been pwned (HIBP) and I want to take you through the process here.

Why EV?

Let's start with a definition:

An Extended Validation Certificate (EV) is a certificate used for HTTPS websites and software that proves the legal entity controlling the web site or software package. Obtaining an EV certificate requires verification of the requesting entity's identity by a certificate authority (CA). Web browsers show the verified legal identity prominently in their user interface, either before, or instead of, the domain name.

What this means in real terms is that when you look at HIBP now, you see this:

HIBP EV Cert in address bar

This states both HIBP's name and my own (I'll explain why later) as well as the country of origin. I had to jump through a lot of hoops to verify who I am and what HIBP is in order to get that cert. Compare that to the site you're on now:

troyhunt.com with no EV cert

When you think about HTTPS, you should be thinking about confidentiality (your data is protected from eavesdroppers), integrity (it can't be changed in transit) and authenticity (you know who you're talking to). When you're on my blog, you know you're on troyhunt.com but you have no idea who owns it. Now in my case you could go and do a WHOIS and get a pretty good idea, but there are many other cases where content is served over HTTPS and the actual entity controlling the site is difficult to determine. Particularly with the rise and rise of Let's Encrypt and Cloudflare, getting a padlock in the address bar has never been easier but this doesn't actually tell you anything about who's behind it.

This is an excellent summary from CertSimple who I'll come back to a little later:

Why have an EV

For HIBP, trust is particularly important. It's running in a space with a lot of shady operators doing a lot of dodgy things and I regularly get the question "why should I enter my email address into some random site"? The EV cert doesn't provide any greater security or protect your data any better in transit (this is really important too - make sure you understand that) but it does give people greater confidence in who's behind the site. As you'll see shortly, it's not easy getting an EV cert and when you do see one like on HIBP, at least you now know who you're trusting your data with.

Who should you get your EV cert from?

Neither Let's Encrypt nor Cloudflare offer EV certs; you can't go along and get a freebie from either. However, what you can do is bring your own along to Cloudflare which is what I ultimately did. The question now is where to get it from.

Comodo is the world's largest provider of certs but the problem with them is that they're also not very nice. After the shenanigans they pulled with Let's Encrypt, I really didn't feel inclined to give them any money.

I had a chat to my mate Scott Helme about certificate authorities (CAs) who I could use and he recommended CertSimple based on him knowing Mike MacCana who founded the company. I later met up with Mike in London and he's a great bloke (and fellow Aussie) genuinely trying to do good things with the way CAs issue their EVs. He's trying to make the whole process both simple and fast:

EV HTTPS certificates for Australia delivered in hours, not days.

That's personalised for my locale, you can go and use CertSimple to issue certs from a range of countries across the globe. Ultimately for me though, it wasn't simple nor fast although none of that was CertSimple's fault, in fact they helped enormously as I worked through the requirements. Let's get onto what you need because it's not as simple as anyone going out there just going and getting an EV cert for any domain they own.

What do you require to obtain an EV?

Frankly, this was the hardest part of the entire process for me and I had a false start along the way too. In a nutshell, you need a legal entity that can own the cert and this is where it all starts to get tricky, not least of which because the nature of legal entities differs around the world. Do proceed carefully and do your own research, I'm going to tell you about my experiences in Australia and they'll probably be different to other parts of the world.

In Australia, a legal entity that would be eligible to apply for an EV cert is typically either a proprietary limited company or a business. The former is a more expensive construct that requires annual returns submitted to ASIC (the Australian Securities and Investments Commission) that come along with a cost of A$249 each time. They also require annual tax returns and whilst that makes sense for an actively trading company, that's not what I needed for HIBP. I do actually have a proprietary limited company I do all my work under called "Superlative Enterprises Pty. Ltd.", but obviously that's not the name I wanted on the cert.

A business name, however, is a much simpler affair. You can register a name online and it costs a mere A$78 for 3 years. It gives you a name under which you can conduct business and little more. However, it also means you can use that name to register an EV cert as it does become a recognised business that's searchable online and is accompanied by a record of registration. So that's what I did - I set this up:

Original ASIC registration

The summary of the business name and business name holder details then looked like this:

Summary of business name under Superlative

Which is about the time everything started to go wrong. You see, when you register a business name you need to provide an ABN (Australian Business Number) and that belongs to the entity that owns the name. In my innocence, I thought "I've got an ABN, I'll just use my existing company one" and that's why you see the business name holder above. The problem is though, that would mean the address bar would look like this:

EV Superlative address bar

I didn't want the company name in there, not because I wanted it hidden for any nefarious purpose, but because it just didn't make any sense. The whole point of the EV cert is to build trust by providing a name that people recognise and can look at and say "ah, I know who that is" and this just wasn't going to work. So I went back to the drawing board.

Actually, that was late September then in October I was in London and caught up with Mike who helped me work out a better way. When I got home again, I de-registered the business name and then registered it again:

B2nd business name registration

Looks the same, right? Almost, let's look at those business name holder details again:

Business name registered under my name

I simply registered a new ABN under my name and then re-registered the HIBP name under that. This meant that if the chain of ownership was followed it stopped at me which is why the very first screen grab of this post shows "Have I Been Pwned (Troy Hunt) [AU]". When I set out to do this, I hadn't expected to see my name there at all but frankly, I'm glad it's present. I'm very closely linked to the service and I think seeing both HIBP and my name next to each other are a good thing in terms of transparency and the confidence people should have when they see it.

An important footnote on all this: it was much harder for me than it would be a registered legal entity trading under its own name. For most people looking to acquire an EV cert they'd skip this entire section and jump straight to the next bit. My scenario is almost certainly an edge case; however, it was worth explaining so there's a better awareness about what goes into getting a cert of this nature.

So that's the back-story on the legal entity I needed, let's get onto actually obtaining the cert.

Acquiring a cert via CertSimple

Let me walk through the process of actually acquiring the EV cert which frankly, after all the business name mucking around, was the easy bit.

CertSimple is true to the name and it all kicks off here:

Required info to register the domain

This obviously isn't exactly how my cert ended up looking in the address bar and that's some feedback I've fed to Mike. Whilst my case was a little unusual, a more common scenario would be registered business names then owned by a parent entity which may need to appear in the address bar. (Yes, I really do live in a place called Surfers Paradise and yes, it is!)

Next up, you'll need a private key:

Generating the CSR

Give it a bit of identity info:

Personal info about owner

And choose how long you want the cert for:

Paying for the cert

And here's the other thing with an EV cert - you pay a lot more money. This is now in USD and where you'd normally be looking at around $70 a year for a normal cert (those issued by Let's Encrypt and Cloudflare aside), you're talking more than 3 times that for an EV. The trust that this class of cert creates doesn't come free and when you consider the steps yet to come, you'll see why. I decided this was a worthwhile investment for HIBP because of all the reasons outlined earlier and ultimately, 65c a day is a justifiable amount to spend. I could have gone other places for the cert that might have saved some dollars, but with all the mucking around I'd already done I wanted the process to be easy and it was well worth the spend with Mike and co to get that.

Moving on, we're now into the validation process and this is where things start to get a bit more manual:

Post-order required actions

Verifying my email address was the easy bit:

Agreeing to the terms of service

We're seeing DigiCert here because they're ultimately the CA CertSimple uses to issue the cert. They're the ones who need to do the verification and bundle it up into a cert. They also do certs for the likes of GitHub, Facebook and the US Department of Homeland Security so it's good company to keep.

And now we reach the end of the automation chain:

Reviewing cert

DigiCert needs to validate both the business name authenticity and that I am who I say I am. The former is done through a combination of me submitting the registration documents and them doing publicly available searches via ASIC. The latter was done by having a Skype video call with me where the engineer asked me to hold up my driver's license to the camera whilst she snapped a pic of it under my face:

Verifying myself via Skype video

(Not included in photo: my driver's license!)

And that was pretty much it. There was a little confusion that ensued due to the old business name still being searchable whilst pending de-registration but we got through that and the cert promptly arrived:

Cert issued via email

From there it was the usual process of mucking around with certificate formats to get from what's provided by the CA to what's required by the host, but a bit of OpenSSL and that was sorted out pretty smartly. A few minutes later and you get the first screen grab of the post or if you're an Edge user, you get this:

The cert in Edge

Or for the iPhone folks:

EV cert on iOS

And so on and so forth. It's particularly prominent in Safari on iOS as the entire URL disappears, replaced by the controlling entity's name (it also drops the country of origin).

And that's it - green bar, business name, my name, job done!

Summary

This whole EV cert thing is hard to measure in terms of value; I have no idea how many more people will put their email address into HIBP or how much more media or good will or donations it will get. No idea at all. It'll help a bit when there's impersonation in the same way as HIBP's verified Twitter account helps, that's honestly the most valuable situation I can conceive of right now.

Websites will go to quite some lengths to try and create a sense of trust and you'll see all sorts of stats as to why one company's seal increases conversions by [whatever]%. But what I do know is that it adds transparency and legitimacy to a realm that as I mentioned earlier, tends to be inhabited by a lot of shady characters and that's gotta count for something.

Security Have I Been Pwned
Tweet Post Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals