An extended validation (EV) certificate is a data security/anti-fraud measure recommended in 2006 by the Certificate Authority/Browser Forum (CAB Forum): an open voluntary association of certification authorities and software developers.
The first version of the Extended Validation SSL Certificate Guidelines was ratified in June 2007.
The forum has recommended the introduction of a new security measure primarily to combat phishing: websites that mimic legitimate websites to harvest personal information including credit card numbers and bank account access details.
(a) Primary Purposes The primary purposes of an EV Certificate are to:
(1) Identify the legal entity that controls a website
Provide a reasonable assurance to the user of an Internet browser that the website the user is accessing is controlled by a specific legal entity identified in the EV Certificate by name, address of Place of Business, Jurisdiction of Incorporation or Registration and Registration Number or other disambiguating information; and
(2) Enable encrypted communications with a website
Facilitate the exchange of encryption keys in order to enable the encrypted communication of information over the Internet between the user of an Internet browser and a website. Source: Extended Validation SSL Certificate Guidelines
It is important to note that the earlier secure socket certificate (SSC) security measure also initially included processes to confirm the identity of the organisation before a certificate was issued. Commercial pressures are often cited as a reason why these processes were abandoned by certificate issuing authorities .
New Zealand Bank ASB added EV certification to its online banking website in early 2008. By March of the same year, the customer login screen displayed the following message:
ASB has identified a phishing email attack targeting ASB customers. The subject of the email is ‘EV SSL certification FastNet update’ and requests customers to update their account details through an email link.
Microsoft was first to introduce support for the new certificate with the release of Internet Explorer version 7 (IE7) for the Windows Vista operating system.
When a person connects to a website with a valid EV certificate: