Buyers Guide to EV SSL

   Step 1: What is an EV SSL?
   Step 2: SSL vs. EV SSL
   Step 3: Merchant Benefits
   Step 4: EV SSL Validation Process
   Step 5: Buying An EV SSL Certificate


 EV SSL FAQs
   EV SSL Certificate FAQs
   SSL vs. EV SSL
   Certification Authority/Browser Forum
   Validating the Certificate Authority
   Benefits of EV SSL


 EV SSL Info
   EV SSL News
   EV SSL Polls


 Advertisement


ev ssl certificates
(Visit Buy SSL Certs for all SSL Certificates including EV SSL )


 EV SSL Polls


   View All Polls


Which brand of EV SSL are you considering purchasing or currently using?









View EV SSL Certificate Poll Results

SSL Status Quo

With SSL, end-users have been satisfied that the URL reads "https," instead of "http" and with the lock icon at the top or bottom of the screen, as it relates to whether the Web site is secure.

Visually, most end-users only look for those icons and most have no idea how those types of sites can be manipulated and replicated by phishers.

How do end-users really know whether the site is authentic and owned by the bank, merchant site, or other site, which bears the company's name?

In theory, SSL certificates should be the on-going standard for browser and server security, however, there are a few kinks in an otherwise worthy protocol for a secure web browser.

In a paper entitled, "An Overview of SSL (version 2," Mr. Adam Shostack discussed the limitations and vulnerabilities of SSL. This paper was written in 1995; soon after SSL Netscape introduced certificates.

Shostack, who now works for Microsoft in their threat vulnerabilities and security department, realized even in the midst of SSL's infancy, that the protocol had serious flaws. These flaws are still evident and plentiful today.

"Insiders, especially those around the top of the key certification hierarchy, have the potential to do quite a bit of harm by creating false signatures on keys," he wrote.

"Few of these attacks will occur in a vengeful manner; they require time and foresight to enact, and are probably the domain of the malicious employee. (This assumes that employees who become vengeful do so at about the time they leave a firm.) "

Almost like a Nostradamus for the IT Security world, Shostack's hypothetical theory has come true as of 2007. "…A more useful option might be to buy a cheap PC, and have it attempt brute force RC4 keys [encryption keys]. It is estimated that a Pentium based PC should be able to crack a 40 bit RC4 key in a month or several months using brute force," he wrote, though

the standard now is 128 bit encryption. Brute force means password guessing, as it relates to SSL.

"The manipulations used on the master key may increase the cost of the attack, but probably not by orders of magnitude. If a PC costs $1500, then breaking 12 keys a year leads to a cost that could be as low as $125 per stolen card number. While this seems like a high price, the credit card numbers are acquired in a nearly risk free manner of sniffing an Ethernet. In addition, that time will drop with the introduction of faster hardware."

ev ssl                      pci compliance asv


pci compliancePrint this page
| Home |  EV SSL FAQs |  Buyers Guide to EV SSL |  Where to Buy |  EV SSL News |    EV SSL Certificate Polls | 
© 2007 EV SSL Guide.com
   All right reserved - do not copy any material without written permission.



Visit Buy SSL Certs for all SSL Certificates