General Frequently Asked Questions - EV SSL

What is an EV (Extended Validation) SSL Certificate?

Extended Validation (EV) SSL Certificates are the next generation SSL Certificate because they help protect against phishing attacks. They work with high security Web browsers (e.g. Microsoft IE) so that visitors to Websites with an EV SSL Certificate will see a “Green Address Bar”. EV SSL Certificates represent a new industry standard for e-merchant identity verification developed by the CA/B Forum.

What are the benefits of EV SSL Certificates to Web site owners?

An EV SSL Certificate helps you gain competitive advantage by increasing trust in your Web site that translates into higher conversion rates and increased revenue.

What is EV AUTO-Enhancer™ - Automatic EV Deployment and Maintenance Technology?

Comodo EV SSL Certificates offer the ability for Microsoft® Windows XP users to see the “Green Address Bar” indicator in Microsoft® Internet Explorer 7. However, unlike other Certification Authorities we provide EV AUTO-Enhancer™, a unique, patent-pending Automatic EV Deployment and Maintenance Technology to maximize the value of your EV SSL Certificate. Now your system administrator does not need to engage your web design team to install and service your EV SSL Certificate.

This technology is FREE, available nowhere else and is worth $1,500 in saved web design team resources.

How EV AUTO-Enhancer™ works?

With Comodo’s unique, patent-pending EV AUTO-Enhancer™ technology, your system administrator need only install a single file on your Web server to make EV SSL Certificates display the “Green Address Bar” indicator in Microsoft® Internet Explorer 7 for customers who use Microsoft® Windows XP. This saves your web design team days of work in making your EV SSL Certificate backward compatible with Microsoft® Windows XP.

Normally, Web servers are configured to send only a single certificate chain during SSL/TLS handshakes. However, a simple modification to the “standard” configuration of a Web server would cause the new Root Certificate to be sent during SSL/TLS handshakes in addition to the “legacy certificate chain”. This would cause the new Root Certificate to be automatically downloaded and installed from the Automatic Root Update facility and the EV SSL Certificate “Green Address Bar” would be seen immediately.

Comodo's EV AUTO-Enhancer™ technology returns the EV SSL Certificate root in the handshake from your Web server. In combination with a change of the issuance date of the cross-certificate, this will force Microsoft® Windows XP and Vista to pull the root into the certificate store.

Is EV AUTO-Enhancer™ compatible with all types of Web server?

This technology is currently available for Apache Web servers. The Web server will return the trusted route in the handshake that can easily be incorporated into the installation instructions that we provide for Apache. IIS EV AUTO-Enhancer™, A Comodo a plug-in for Microsoft® IIS will soon be available to allow this type of Web server to serve the root in the desired way. Currently, all EV SSL Certificates will continue to work on Microsoft® IIS Web servers using Comodo’s EV Enhancer™. Comodo is also extending the ubiquity of this technology to be compatible with other types of Web server in the future.

What is EV Enhancer™?

Comodo's EV Enhancer™ technology enables the new "Green Address Bar" browser indicator for EV SSL Certificates to be backward compatible with Microsoft® Internet Explorer 7 on Windows™ XP by installing a trusted Comodo Root Certificate. This Root update is needed to establish a fully trusted and encrypted EV SSL connection and enable your customer’s address bar to turn green

How does EV Enhancer™ work?

In order for the "Green Address Bar' to be displayed for a secure website in Microsoft® Internet Explorer 7, the relevant Root Certificate must be present in the client's Trusted Root Certificate store and it must also have an EV Policy Object Identification (OID) associated with it. In Windows Vista, EV Policy OIDs are assigned automatically via the Automatic Root Update facility. However in Windows XP (the dominant Operating System in the market today), the Automatic Root Update facility is unable to assign EV Policy OIDs to “legacy” Root Certificates that are already present in the Microsoft Root Certificate Program. This behavior forces all Certificate Authorities to embed a new Root Certificate in the Microsoft Root Certificate Program that will have the applicable EV Policy OID assigned to it. The difficulty of installing the new root certificate on Windows XP is that new Root Certificates are distributed from Windows Update. Every week, Windows downloads a signed list of all roots in the root program. When Windows validates a certificate, Windows XP shows the following behavior:

Windows XP first tries to build a chain using certificates from the TLS/SSL protocol, in addition to the local certificate stores;
If Windows is unable to find a chain up to a self-signed certificate, Windows tries to download additional certificates using information in the certificate;
If a chain up to a self-signed certificate can not be found, Windows tries to find a match in the signed list of roots retrieved from Windows Update. If a match is found, the Root Certificate is then downloaded and installed silently.

In most cases Windows XP will find a legacy Root Certificate (for Comodo this is UTN and AddTrust), which will mean that at least one trusted certificate chain will be found during phase one and no new EV root will be installed. Therefore, it is not possible to use the Root Update Mechanism provided by Microsoft. To solve this problem, the website must trigger an TLS/SSL connection to a HTTPS URL that points to a certificate that is not cross signed and does not refer to a legacy Root and returns only the End Entity and Issuing CA certificates. This method will force Windows XP to validate a certificate chain where it must download the new EV root.

The figure below shows the process in more detail:

Consumer PC visits https://www.myEVsite.com and the web server returns the chain including the cross certificate to the user during TLS/SSL negotiation;
The website contains an EV Enhancer™ script to https://ev-enhancer.comodo.com;
The user makes a second TLS/SSL negotiation with ev.cadomain.com which returns a different End Entity certificate and no cross signed certificate;
Windows XP validates End Entity B and is unable to build a chain to a known self-signed certificate.

Based on the above scenario, the user will not see the "Green Address Bar" in Internet Explorer 7 until the second time she visits the site. This can be improved to be a first time visit if the home page of the website is not a HTTPS URL and the EV Enhancer™ technology is activated from a page leading up to the HTTPS EV SSL trusted page. The EV Enhancer™ downloads and installs the EV Root from Windows Update before the user enters the HTTPS connection. This requires your website administrator to add a link to an HTTPS “beacon” site on each entry page of your website.

What is SGC?

SGC is Server Gated Cryptography. It provides the ability for a certificate to 'up-rate' older browsers that are only capable of weak, 40-bit encryption to ultra-secure 128/256-bit encryption without the need to upgrade. It was introduced at a time when stringent United States encryption export laws would only allow browsers to encrypt 40-bit levels. Understandably, there are still millions of users that still use these older browsers. Websites wishing to offer the highest level of trust and 256-bit encrypted transactions to the widest possible customer base should consider EV SGC SSL Certificates.

Will I be able to upgrade my existing Comodo High Assurance SSL Certificate to get the “Green Address Bar” in my customer’s Web browser?

Sure. Comodo can offer you a quick migration path from your existing High Assurance SSL Certificate to an EV SSL Certificate. After your reservation, you may have to submit additional documentation. The Comodo sales team will assist you throughout the process. So submit your contact information and we will contact you shortly. Alternatively, call US toll free: 1 888 266 6361 or from outside of the US: 1 703.581.6361.

Is my existing High Assurance SSL Certificate still sufficient for protecting online transactions?

All Comodo SSL Certificates will continue to provide security encryption to ensure that data being transferred between your Web site and your customer’s Web browser can not be stolen. In addition your current High Assurance SSL Certificate will continue to provide identity assurance for your Web site.