They may share the same indicators, but DV and OV are not the same
If you’ve ever shopped for SSL certificates, you know there are there different SSL validation levels: domain, organization and extended. Extended validation (EV) SSL activates a unique visual indicator, displaying the name of the organization in browsers’ address bars. Its value proposition is clear. But what about the other two, which only display the padlock? (If that.)
OV SSL is the “OG” SSL
The original type of SSL certificate actually was organization validated. Back then, anyone that wanted to use the HTTPS protocol needed to be vetted to at least some extent by the certificate authorities (CAs). The thinking was that HTTPS was supposed to be synonymous with security and safety, so it wouldn’t be advantageous to let negative actors get SSL certificates, too. Remember that logic because we’ll come back to it later.
OV SSL requires a light business vetting. Basically, the CA just wants to make sure that, by all appearances, you’re a legitimate business. It checks your registration, makes sure you’re operational and then issues a certificate that includes that validated information in the subject.
This means that anyone who clicks the padlock on your website will be able to see the name of the organization and a portion of its locality. This is extremely helpful if your customers know where to look.
DV SSL is Basic Validation
Domain validation SSL was largely a reaction to the original OV certificates. The thinking was that there shouldn’t be barriers to HTTPS, that everyone should use encryption. That’s now progressed to where many domain validated certificates can be obtained for free by public CAs. Remember earlier we talked about how people were supposed to connote HTTPS with safety? Well, that went out the window with the advent of DV. Now, HTTPS phishing is at an all-time high with some estimates holding that upwards of 90% of phishing sites now use SSL certificates.
All that’s required to get a DV certificate issued is a simple validation check. This can even be automated with some CAs. The result is instant issuance. That can be extremely beneficial in and of itself, but there are some perils that come with DV — the largest being the lack of authentication. Even if your users click the padlock, all they’ll see is the host name. That’s not much use in asserting identity.
The Encryption is the Same with Both DV and OV
Here’s the thing a lot of CAs and resellers don’t tell you: Encryption doesn’t vary by SSL validation type. In fact, the SSL certificate isn’t even what does the encryption — it just facilitates it and sets parameters. Your actual encryption strength varies based on the capabilities of the server and client, and what cipher suites are in use.
The encryption itself doesn’t vary by validation type. So, the security you get from an EV certificate that costs $1,000 is the same as what you’d get from a free DV one. So, in the case of DV SSL vs OV SSL, the certificate doesn’t make a difference regarding the type of encryption itself.
How Much Identity You Assert Varies
Asserting identity is important on the internet because trust is currency. It’s difficult to quantify — and for some sites that are large enough it may be less important — but to 90% of the organizations on the web, the ability to definitively assert your legitimacy is critical.
If you need proof, just go check the volume of searches each month for keywords like “is this site fake?” or “how to spot a scam website.” People want assurance.
DV is literally the least you can do. You’re asserting no identity beyond reaffirming your own URL. And as more and more people get phished by sites with DV certificates on them, that’s eventually not going to be good enough.
OV doesn’t provide the same amount of identity as EV — which asserts enough to get preferential browser treatment — but it does provide some verified organization details. And that, at least, shows that someone vetted you — moreover, that someone trusted vetted you.
Wrapping Up DV vs OV SSL
DV and OV may display the same, and under the hood they both facilitate the same level of encryption. But on an ever-changing internet where trust and identity continue to grow in importance, there is a major difference between DV and OV: identity.
DV is great for small sites, blogs, and testing environments — but eCommerce storefronts or websites that transact in sensitive information need something more. When the stakes are that high, you can’t afford not to supply all that verified information.