The X.509 SSL certificate system is vital to secure communication on the internet. SSL certificates, issued by certificate authorities, are responsible for ensuring we know who we are connected to when we send private information. They’re also responsible for the encryption that prevents snoopers from seeing the data we send over network connections.
For SSL certificates to do their job, certificate authorities must only issue certificates to organizations whose identities have been validated. If certificate authorities issued certificates without validating the identity of the applicant, we’d have no way of knowing whose servers we are connected to. There are, however, multiple levels of validation, which range from almost no validation to a thorough investigation of the organization.
To take some concrete examples, consider eCommerce. We connect to an eCommerce retailer’s store, and the browser’s address bar turns green and displays a padlock. We visit another eCommerce store, but instead of turning green, the browser’s address bar just displays a padlock. These are visual indications of the the level of validation carried out by the certificate authority.
Let’s consider what the levels of validation mean.
This is the lowest level of validation. The certificate authority simply verifies that the organization has control over the domain in question. Often, this is done via email, by uploading a file supplied by the CA to the domain, or by making changes to a DNS record. If the organization demonstrates they control the domain, they will be issued a certificate.
In addition to being the lowest level of validation, domain validation is also the least expensive. It’s easy to automate, and because no humans are involved, there are few costs.
Certificate authorities like Let’s Encrypt are able to offer free domain-validated SSL certificates because the whole process is automatic.
As the name suggests, at this level of validation, the certificate authority investigates — although not very deeply — the organization making the application. The CA will contact the organization to make sure it’s them making the request, and not a malicious third party.
Because humans are involved in the validation process, this level of validation is more expensive than domain validation.
Extended Validation is the most stringent validation level. Certificate authorities are required to carry out a thorough investigation that involves checks to make sure the organization exists as a legal entity, that it has the physical location it claims, that the details it supplies can be confirmed with public records, and so on. Certificate authorities that can issue EV certificates are subject to annual audits to make sure their processes are up to snuff.
As you might imagine, EV certificates are the most expensive because they require a substantial investment of time by human investigators.
Extended Validation is the only way a site gets that well-understood visual indicator of security, the green address bar.
Although Extended Validation should give web users the most confidence, it’s worth mentioning that the other validation levels are perfectly fine for many applications. While an eCommerce store or bank should use EV certificates, a blog, for example, doesn’t need more than domain validation in most cases — a DV certificate verifies control over the blog’s domain, and does just as good a job of encrypting the content as it flows over the network.