Trust is a really difficult thing to define. Think about it in the web security context - how do you "trust" a site? Many people would argue that trust decisions are made on the familiarity you have with the brand, you know, brands like LinkedIn, Dropbox, Adobe... who've all had really serious data breaches. Others will look for the padlock in the address bar and imply by its presence that the site is trustworthy... without realising that it makes no guarantees about the security profile of the services sitting behind it. Then there's the security seals placed on the page and, well, just go and read clubbing seals if you're not already aware of just how fundamentally irrelevant (and even dangerous) they are.
But here's the thing: all of these go into that little processor in people's brains which helps them make a judgement decision on the trustworthiness of the site they're visiting. Rightly or wrongly, they matter.
The trick now is to look at which trust indicators actually make sense not just in the confidence they instil in people visiting a site, but in the actual security benefit they provide. For example, Ashley Madison choose to put a fake security award on their site which probably gave many people more confidence in them whilst setting out to have an illicit affair, but ultimately meant absolutely nothing. An extended validation certificate (EV cert), on the other hand, actually does mean something. I recently decided to get one for Have I been pwned (HIBP) and I want to take you through the process here.
Let's start with a definition:
An Extended Validation Certificate (EV) is a certificate used for HTTPS websites and software that proves the legal entity controlling the web site or software package. Obtaining an EV certificate requires verification of the requesting entity's identity by a certificate authority (CA). Web browsers show the verified legal identity prominently in their user interface, either before, or instead of, the domain name.
What this means in real terms is that when you look at HIBP now, you see this:
This states both HIBP's name and my own (I'll explain why later) as well as the country of origin. I had to jump through a lot of hoops to verify who I am and what HIBP is in order to get that cert. Compare that to the site you're on now:
When you think about HTTPS, you should be thinking about confidentiality (your data is protected from eavesdroppers), integrity (it can't be changed in transit) and authenticity (you know who you're talking to). When you're on my blog, you know you're on troyhunt.com but you have no idea who owns it. Now in my case you could go and do a WHOIS and get a pretty good idea, but there are many other cases where content is served over HTTPS and the actual entity controlling the site is difficult to determine. Particularly with the rise and rise of Let's Encrypt and Cloudflare, getting a padlock in the address bar has never been easier but this doesn't actually tell you anything about who's behind it.
This is an excellent summary from CertSimple who I'll come back to a little later:
For HIBP, trust is particularly important. It's running in a space with a lot of shady operators doing a lot of dodgy things and I regularly get the question "why should I enter my email address into some random site"? The EV cert doesn't provide any greater security or protect your data any better in transit (this is really important too - make sure you understand that) but it does give people greater confidence in who's behind the site. As you'll see shortly, it's not easy getting an EV cert and when you do see one like on HIBP, at least you now know who you're trusting your data with.
Who should you get your EV cert from?
Neither Let's Encrypt nor Cloudflare offer EV certs; you can't go along and get a freebie from either. However, what you can do is bring your own along to Cloudflare which is what I ultimately did. The question now is where to get it from.
Comodo is the world's largest provider of certs but the problem with them is that they're also not very nice. After the shenanigans they pulled with Let's Encrypt, I really didn't feel inclined to give them any money.
I had a chat to my mate Scott Helme about certificate authorities (CAs) who I could use and he recommended CertSimple based on him knowing Mike MacCana who founded the company. I later met up with Mike in London and he's a great bloke (and fellow Aussie) genuinely trying to do good things with the way CAs issue their EVs. He's trying to make the whole process both simple and fast:
That's personalised for my locale, you can go and use CertSimple to issue certs from a range of countries across the globe. Ultimately for me though, it wasn't simple nor fast although none of that was CertSimple's fault, in fact they helped enormously as I worked through the requirements. Let's get onto what you need because it's not as simple as anyone going out there just going and getting an EV cert for any domain they own.
What do you require to obtain an EV?
Frankly, this was the hardest part of the entire process for me and I had a false start along the way too. In a nutshell, you need a legal entity that can own the cert and this is where it all starts to get tricky, not least of which because the nature of legal entities differs around the world. Do proceed carefully and do your own research, I'm going to tell you about my experiences in Australia and they'll probably be different to other parts of the world.
In Australia, a legal entity that would be eligible to apply for an EV cert is typically either a proprietary limited company or a business. The former is a more expensive construct that requires annual returns submitted to ASIC (the Australian Securities and Investments Commission) that come along with a cost of A$249 each time. They also require annual tax returns and whilst that makes sense for an actively trading company, that's not what I needed for HIBP. I do actually have a proprietary limited company I do all my work under called "Superlative Enterprises Pty. Ltd.", but obviously that's not the name I wanted on the cert.
A business name, however, is a much simpler affair. You can register a name online and it costs a mere A$78 for 3 years. It gives you a name under which you can conduct business and little more. However, it also means you can use that name to register an EV cert as it does become a recognised business that's searchable online and is accompanied by a record of registration. So that's what I did - I set this up:
The summary of the business name and business name holder details then looked like this:
Which is about the time everything started to go wrong. You see, when you register a business name you need to provide an ABN (Australian Business Number) and that belongs to the entity that owns the name. In my innocence, I thought "I've got an ABN, I'll just use my existing company one" and that's why you see the business name holder above. The problem is though, that would mean the address bar would look like this:
I didn't want the company name in there, not because I wanted it hidden for any nefarious purpose, but because it just didn't make any sense. The whole point of the EV cert is to build trust by providing a name that people recognise and can look at and say "ah, I know who that is" and this just wasn't going to work. So I went back to the drawing board.
Actually, that was late September then in October I was in London and caught up with Mike who helped me work out a better way. When I got home again, I de-registered the business name and then registered it again:
Looks the same, right? Almost, let's look at those business name holder details again:
I simply registered a new ABN under my name and then re-registered the HIBP name under that. This meant that if the chain of ownership was followed it stopped at me which is why the very first screen grab of this post shows "Have I Been Pwned (Troy Hunt) [AU]". When I set out to do this, I hadn't expected to see my name there at all but frankly, I'm glad it's present. I'm very closely linked to the service and I think seeing both HIBP and my name next to each other are a good thing in terms of transparency and the confidence people should have when they see it.
An important footnote on all this: it was much harder for me than it would be a registered legal entity trading under its own name. For most people looking to acquire an EV cert they'd skip this entire section and jump straight to the next bit. My scenario is almost certainly an edge case; however, it was worth explaining so there's a better awareness about what goes into getting a cert of this nature.
So that's the back-story on the legal entity I needed, let's get onto actually obtaining the cert.
Acquiring a cert via CertSimple
Let me walk through the process of actually acquiring the EV cert which frankly, after all the business name mucking around, was the easy bit.
CertSimple is true to the name and it all kicks off here:
This obviously isn't exactly how my cert ended up looking in the address bar and that's some feedback I've fed to Mike. Whilst my case was a little unusual, a more common scenario would be registered business names then owned by a parent entity which may need to appear in the address bar. (Yes, I really do live in a place called Surfers Paradise and yes, it is!)
Next up, you'll need a private key:
Give it a bit of identity info:
And choose how long you want the cert for:
And here's the other thing with an EV cert - you pay a lot more money. This is now in USD and where you'd normally be looking at around $70 a year for a normal cert (those issued by Let's Encrypt and Cloudflare aside), you're talking more than 3 times that for an EV. The trust that this class of cert creates doesn't come free and when you consider the steps yet to come, you'll see why. I decided this was a worthwhile investment for HIBP because of all the reasons outlined earlier and ultimately, 65c a day is a justifiable amount to spend. I could have gone other places for the cert that might have saved some dollars, but with all the mucking around I'd already done I wanted the process to be easy and it was well worth the spend with Mike and co to get that.
Moving on, we're now into the validation process and this is where things start to get a bit more manual:
Verifying my email address was the easy bit:
We're seeing DigiCert here because they're ultimately the CA CertSimple uses to issue the cert. They're the ones who need to do the verification and bundle it up into a cert. They also do certs for the likes of GitHub, Facebook and the US Department of Homeland Security so it's good company to keep.
And now we reach the end of the automation chain:
DigiCert needs to validate both the business name authenticity and that I am who I say I am. The former is done through a combination of me submitting the registration documents and them doing publicly available searches via ASIC. The latter was done by having a Skype video call with me where the engineer asked me to hold up my driver's license to the camera whilst she snapped a pic of it under my face:
(Not included in photo: my driver's license!)
And that was pretty much it. There was a little confusion that ensued due to the old business name still being searchable whilst pending de-registration but we got through that and the cert promptly arrived:
From there it was the usual process of mucking around with certificate formats to get from what's provided by the CA to what's required by the host, but a bit of OpenSSL and that was sorted out pretty smartly. A few minutes later and you get the first screen grab of the post or if you're an Edge user, you get this:
Or for the iPhone folks:
And so on and so forth. It's particularly prominent in Safari on iOS as the entire URL disappears, replaced by the controlling entity's name (it also drops the country of origin).
And that's it - green bar, business name, my name, job done!
This whole EV cert thing is hard to measure in terms of value; I have no idea how many more people will put their email address into HIBP or how much more media or good will or donations it will get. No idea at all. It'll help a bit when there's impersonation in the same way as HIBP's verified Twitter account helps, that's honestly the most valuable situation I can conceive of right now.
Websites will go to quite some lengths to try and create a sense of trust and you'll see all sorts of stats as to why one company's seal increases conversions by [whatever]%. But what I do know is that it adds transparency and legitimacy to a realm that as I mentioned earlier, tends to be inhabited by a lot of shady characters and that's gotta count for something.