(Note: As a result of valuable feedback from the netsec community, we edited this post to clarify our point of view, as well as removed side points that detracted from the main points of our post: the importance of validation in SSL and the need to educate consumers that because of developments in SSL involving automation, simply looking for ‘https’ or a lock in the browser bar isn’t necessarily the indicator of security that it used to be. Thank you for the valuable feedback; we’re always listening and always open to a debate on the issues.)
Namecheap is dedicated to security and privacy for all users. We believe the movement to encrypt nearly all web traffic via automated SSL is a positive development for the Internet. Preventing MITM attacks and other data-interception techniques possible when using HTTP-only is in everyone’s best interest, and that point is not up for debate. However, there’s a big difference between encryption and security, a point that may be trivial to advanced users/professionals, but is extremely relevant for consumers.
We think that validation of a certificate’s owner is an important point that needs to be highlighted and discussed. Recent developments in SSL automation are fantastic from a technical point of view, however, consumers need to be educated on this new security paradigm and the appropriate signals to look for when making a security determination. Looking for ‘https’ and a lock in the browser bar, the traditional indicators that have been messaged as reliable, may not be so reliable anymore when it comes to the consumer definition of security.
The Importance of Validation and Third Party Revocation
With paid certificates from Namecheap, users get validation as well as encryption. Basic validation occurs when the applicant pays via credit card. Then the CA performs further security checks on the domain via various API’s and third parties before issuance (this happens with even the lowest-priced paid DV cert that we offer).
Additionally, any time we receive a report of abusive activity and/or fraud involving a certificate, Namecheap works with CA’s to investigate the reported sites, and CA’s often take quick action to revoke site certificates as a result. This third-party revocation capability is important; it provides an additional layer of post-issuance protection.
Certificates from automated CA’s are definitely useful for personal sites and other non-commercial sites that want to provide encryption for their users when transmitting everyday data. However, when it comes to a scenario that involves information that needs to be protected and held to a higher standard, such as commerce, conducting business online, or transmitting personally-identifying information, we believe additional layers of validation are critical for security as defined by the consumer. Paid OV and EV certs offer multiple additional assurance layers as part of a validation process, while automated certificates simply provide an acknowledgement of ownership.
This is a key distinction – the true value in Paid SSL security arises from knowing that the owner of the cert is who they say they are, not simply that they have control of the domain they applied with. With OV certificates, documents from relevant government entities (such as business licenses, certificates/articles of incorporation, or tax permits) are required as the second step of the validation process, providing an extra layer of assurance that the applicant not only controls the domain, but also has documentation to verify that they are who they say they are. EV certificates are issued after an even more stringent series of third party checks, providing additional assurance about the entity that is being certified.
When it comes to building trust, validation is crucial. Customers have an additional signal of trustworthiness when they see an SSL site seal from a respected security brand indicating that, in addition to providing encryption, your business has been validated by a respected paid provider using multiple avenues of validation. Additionally, given recent developments, we strongly believe that additional education is required on the correct signals for consumers to use when making a security determination; browsers must necessarily shoulder some of this responsibility, however, everyone must take some of the burden on, including providers of automated SSL.
Signal Consumer Trust with Paid SSL
SSL certificates from branded providers provide the security, flexibility, and support that business websites need. Traditional CA’s offer certificate lifetimes of up to three years. They support wildcards, offer warranties, and provide integration assistance. With a non-automated CA, you can choose from varying levels of validation – Organization Validation and Extended Validation, in addition to basic Domain Validation. With OV and EV protection, the CA conducts extensive verification of the business behind the website before issuing the cert, and takes quick corrective action when fraud or malicious activity is detected. Support is another significant factor; only paid providers can offer full-time customer service and assistance.
Free SSL certs are a great choice for personal blogs and other basic sites that do not conduct financial transactions or collect sensitive data. However, e-commerce organizations and any site that gathers customer data requiring protection and trust should, as a matter of course, use OV or EV SSL from known and trusted CAs. The levels of encryption, validation, and trust that business and commerce websites require to provide security in the consumer sense, not only encryption, are delivered via these validated products.