How useful are EV SSL certificates?

I’m using a letsencypt.org SSL certificate for my amateur radio website

https://www.dhars.org.uk/

and an EV SSL certificate, for my company

https://www.kirkbymicrowave.co.uk/

which will cost me $69 to renew from a Comodo reseller - not exactly a fortune, even for a small company.

A few weeks ago I asked on a Facebook group devoted to the area I used to live, if anyone looked at the address bar and see the green in it. Obviously that was NOT a site of computer wizards, which is why I asked there. Nobody responded. Neither did anyone respond when I asked whether they see “not secure” either!

This forum post

makes an argument that EV SSL certificates are dead. It is however based on the fact most people browse from a mobile device. That still leave a lot of people that don’t, who will see more information.

I do wonder if I am wasting my time renewing an EV SSL certificate, or whether a Comodo EV SSL is worth the $69 to a small commercial company - only two employees.

Any thoughts?

Dave

3 Likes

$69 for an EV cert is the lowest price I’ve seen by at least $150–but even at that, I think it’s probably too much. The main reason I think this is covered by the article you link to, but it isn’t limited to mobile device use–even desktop browsers are moving in the same direction. But the bigger issue is that, regardless of what the browser vendors show the user, the vast majority of users don’t even notice, and of the few that do, the vast majority don’t really pay attention. Here’s another article that reaches pretty much the same conclusion:
https://scotthelme.co.uk/are-ev-certificates-worth-the-paper-theyre-written-on/

Edit: I guess, though, the question of “is it worth it” would require an understanding of how you see them adding value for you. The browser UI indication is the most obvious difference, but many CAs market a variety of other “benefits”. One that they like to focus on is a warranty, though they don’t seem to want to define very clearly what it covers (and I have yet to hear of a case where any CA’s warranty was actually used). But if you can explain what you think the EV cert might do for you, that would help us give a better idea of how beneficial it would actually be.

2 Likes

By the way, Troy Hunt wrote another post more recently:

3 Likes

IMHO, the critical piece of Troy’s (and others) argument against EV certs is this. Regardless of what browser vendors do to distinguish EV certs from non-EV certs (which is increasingly nothing), the overwhelming majority of users do not change their behavior between a site with EV and a site without. And more importantly, they don’t even notice if a site that formerly had an EV cert, now does not.

So even if you believe that EV certs are supposed to be additional protection against phishing to verify the company’s identity that you’re communicating with, no users actually do that.

1 Like

I used https://www.ssls.com/

where EV SSL certificates are $68.99. They are issued by Comodo so ssls.com is just a Comodo reseller. As soon as I paid last time (just under a year ago), I got sent a link to contact Comodo, and they did all the work. So the cost is not high.

The use of an EV SSL certicate is even mentioned in our privacy notice

https://www.kirkbymicrowave.co.uk/About-us/Privacy-Notice/#OurCommunicationsThewebsiteAndCookies

but I could remove that easy enough.

We have an online shop, but payment is made through PayPal. Possibly, a customer might feel happier knowing the site is secured, showing up green. Given the price of the items we sell, if we sold one more over a year, it would more than cover the cost of the certificate. But I’m wondering if it would result in a single extra sale. That is very difficult to know for sure.

I’m not bothered about the insurance aspects of this.

I would like to think it looks more professional, but given there are many multi-billion dollar companies not using EV SSL certificates, that argument is pretty weak.

Dave

1 Like