DV, EV, OV SSL Certificates: many different types and prices, but what’s the actual difference?
Sure, SSL Certificates brought some confusion in the eyes of the typical web user. Let’s make a brief summary to understand why it’s important to have a SSL certificate installed on our hosting/domain and why it’s become increasingly important since 2017.
Check this bullet list:
- In 2016, Google announced that Chrome will flag all the websites on a standard http (unencrypted) connection as “not secure” from Jan 2017. In other words, HTTPS protocol became almost mandatory.
- On Jan 2017, Firefox followe Google’s suggestion adding the error message “This connection is not secure”
- Few months before SEMRUSH, one of the leading SEO suites, publishes a research stating that SSL and thus the HTTPS protocol is taken in consideration as a major ranking factor by Google.
- We’ve seen three possible solutions to remove the message in 3 ways to solve the “This connection is not secure” post
There are very expensive certificates and very cheap ones. Why’s that?
This is obviously a very complex topic, anyway we’re here to simply everything for you! Are you ready? 3.. 2.. 1, GO!
The basic difference in SSL Certificates
Esistono diversi livelli di validazione, che corrispondono a diverse esigenze specifiche. Nel 99,9% dei casi un certificato gratuito o base è perfetto per le vostre esigenze, ma vediamo le nomenclature:
SSL certificates has different levels of validation, corresponding to different needs. In 99,9% of cases, a free or basic DV certificate will be exactly what you’re looking for.
- Domain Validated (DV) SSL Certificate: it certifies only that the domain and the certificate itself are accounted to the same domain. In other words, it validates that the domain and its content is exactly what you see. This is the simplest, most affordable validation type and it does not cover nor check domain ownership and data: just the name.
- Organization Validated (OV) SSL Certificate: compared to the previous DV, an OV SSL Certificate validates even the name of the organization or person that has requested it: that’s the reason why the certificate authority (CA) needs more days to generate it, as there is some paperwork coming. Since the CA verifies more informations, it should bring a better domain reputation.
- Extended Validation (EV) SSL Certificate: this is the gold level in SSL certificate. It brings the highest trust, if we look at trust as something that the web user acknowledges to a particular certificate. We’d have to provide more information about us and they’ll be legally verified, so there’s more paperwork here than in a OV cert. Some browsers will display the company name in the address bar, thus assuring our users that the website is our official website and not a knock off. However, this doesn’t apply if our EV certificate is a Wildcard certificate too.
- Wildcard SSL Certificate: Wildcard certificates can be either DV, OV or EV. They’re used to cover the whole domain name and not only a peculiar version of it: that means that a single wildcard certificate will work not only for www.mydomain.com, but even for data.mydomain.com, mail.mydomain.com etcetera. If we have a lot of subdomain, it could be convenient to buy a single wildcard cert instead of many non-wildcard ones.
Anyway, the encryption level between our pc and the server will be always the same, as the encryption standards used are similar, if not an exact match, across all certificate types.
Yes but… what’s the difference in practice?
To be honest, not much in practice. As said, EV and OV Certificates may display your name in the address bar on most browsers. However, they have to be configured in a specific way: Wildcard EV and Wildcard OV does not. As cost is a main concern in this kind of certs, buying many different EVs or OV could not be a viable solution.
OV and EV certificates, on the other hands, allow the user to check the organization name that has requested them at anytime, as you can see in the screenshot: facebook uses a Wildcard EV certificate for its domain.
However, have you ever seen a user opening the information window below? I don’t think so…
In DV certificates this data is simply not available: they verify only the domain name. In our experience, this difference is not relevant at all to most people, so a standard DV Certificate would just suite you needs. When things change again, upgrade to an EV or OV will always be possible.
The BIG difference: the Certificate Authority assurance
If you have a bug business, this might be more intriguing for you. Few people actually know about it, but an SSL certificate is like a warranty on the domain. An assurance, to be precise, about the real nature of the domain (and, in case of EVs and OVs, of the domain holder). The Certificate Authority works exactly as an assurance agent.
What happens if someone hacks the CA and defaces our website thus stealing our web identity, causing the user to visit a website that is not ours?
There’s a warranty. This is why we have 99€ EVs and 9.999€ EVs, as the warranty covers the eventual damage. For example, on this page of the Comodo website, one of the most famous CAs, we’d discover that:
- A PositiveSSL Cert (DV) that costs around 10€, covers around € 1.000 in damage
- A PositiveSSL Cert (EV) that’s 20 times more expensive, covers € 15.000 in damage
PLEASE PAY ATTENTION: the warranty does NOT pay the certificate owner, but the users endagered by the eventual identity theft. This is very important, because you could think you have rights on those funds, while you have not!
The security level of the cheapest SSL cert is exactly the same when compared to the most expensive one, and hacking an SSL certificate is a very hard task, so I’d say that the risk of identity theft are really far. If you’re worried about the risks of being deceived, a costs/benefits analysis is what you need to do in order to choose the right certificate for you.
However, take in consideration that the common user just doesn’t care about the whole stuff, as he just gets bothered by “This site is not secure” message that the browsers a couple of years ago.