Which Type of SSL Certificate Should You Purchase?

Extended Validation (EV) SSL certificates have been available for 18 months, but despite the hard sales push, many web sites are continuing to use non-EV certificates. EV certificates cost significantly more but I don't think the case for their use is yet proven.

During 2006, the SSL Certificate Authorities (CAs) and browser vendors approved standard practices for certificate validation and display called the Extended Validation Standard. This was in reaction to the widespread sale of low-cost SSL certificates which did very little, if any, checking of the purchaser's details. The validation process is meant to establish the legal identity as well as the operational and physical presence of website owner, the identity of the individual making the request and that they have full control over the address/URL being used. In Internet Explorer (IE) 7 web browser, the address bar turns green when a trusted and display the organisation's name, current EV SSL certificate is in use (may require an update from Microsoft depending upon your operating system):

Users of Firefox 3 (and Firefox 2 with an extension) see something similar. But despite steady worldwide growth many UK web sites are continuing to use non-EV certificates:

For an excellent insight into what EV SSL certificates offer, read Ivan Ristic's ModSecurity Blog post "Extended Validation Certificates: A Change for the Better (But Not Enough)".

If your competitors are using EV certificates, it might be worth buying one too, but they are costed at a premium and I don't think consumers are avoiding web sites with conventional certificates. Since some UK online banks aren't using them, I suspect the time to join the bandwagon hasn't yet arrived:

Perhaps when the cost differential reduces, more site owners will begin to buy them. This isn't yet something you need to be ahead of the wave on.