A Domain Validated SSL certificate offers the easiest type of SSL certification available, but has much less value to consumers than a higher level of certification. Although they cost less, some certification authorities may refuse to issue DV SSL’s because of the risk of phishing.
To validate a domain, a certification authority only needs to check whether the entity applying for the certification owns the domain name and approves the application. The DV SSL certification process does not provide any information about the domain owner, so fraudulent companies or individuals posing as legitimate ones can easily obtain this type of certificate. If the certification authority only uses email to determine ownership and obtain permission, they can save money by automating the process while neglecting to do any human vetting of the applicant.
Extended Validation (EV) describes the process of verifying the domain owner’s identity according to a set of criteria (Guidelines for Extended Validation Certificates) developed by a consortium of stakeholders, including certification authorities, software developers and lawyers, among others.
However all types of SSL certification, including DV SSL, use the little padlock icon that shows up on the user’s browser, so average consumers do not often know which kind of SSL certificate they see. Unfortunately, phishers recognize this, and have started to get the lower level DV SSL certificates to fool their targets into thinking they are legitimate.
Companies producing browsers are developing more ways for internet users to tell just what kind of SSL certification a site has, and both freeware and commercial servers are cooperating with this effort. In one such solution, the menu bar that displays the “https” characters and the padlock will turn green if the site has the EV certification, but will not if it only has the DV SSL certificate.
The lower-level DV SSL certification may work well for many legitimate companies, but internet users need to know that it does not provide as much confidence as the higher-level EV SSL standard. If they have concerns about security, they need to make an effort to ascertain which type of certification a site uses.