General Frequently Asked Questions - EV SSL

What is an EV (Extended Validation) SSL Certificate?

Extended Validation (EV) SSL Certificates are the next generation SSL Certificate because they help protect against phishing attacks. They work with high security Web browsers (e.g. Microsoft IE) so that visitors to Websites with an EV SSL Certificate will see a "Green Address Bar". EV SSL Certificates represent a new industry standard for e-merchant identity verification developed by the CA/B Forum.

What are the benefits of EV SSL Certificates to Web site owners?

An EV SSL Certificate helps you gain competitive advantage by increasing trust in your Web site that translates into higher conversion rates and increased revenue.

What is EV AUTO-Enhancer™ - Automatic EV Deployment and Maintenance Technology?

Comodo EV AUTO-Enhancer™ is a patent-pending technology designed to enable Microsoft® Windows XP users to see the "Green Address Bar" indicator in Microsoft® Internet Explorer 7 However, unlike XP compatibility solutions offered by other Certification Authorities, EV AUTO-Enhancer™, provides this capability simply by installing a small program on your web server at the time you install your EV SSL Certificate.

It installs quickly and easily, and provides "Green Address Bar" functionality to XP users beyond that of other solutions, which, for example, require site visitors to have JavaScript enabled - ours doesn't. Only Comodo's approach is deployed solely by IT staff, and does not require the involvement of web developers to setup or maintain the solution.

How does EV AUTO-Enhancer™ work?

With Comodo’s unique, patent-pending EV AUTO-Enhancer™ technology, your system administrator need only install a single file on your Web server to make EV SSL Certificates display the “Green Address Bar” indicator in Microsoft® Internet Explorer 7 for customers who use Microsoft® Windows XP. This saves your web design team days of work in making your EV SSL Certificate backward compatible with Microsoft® Windows XP.

Normally, Web servers are configured to send only a single certificate chain during SSL/TLS handshakes. However, a simple modification to the “standard” configuration of a Web server would cause the new Root Certificate to be sent during SSL/TLS handshakes in addition to the “legacy certificate chain”.  This would cause the new Root Certificate to be automatically downloaded and installed from the Automatic Root Update facility and the EV SSL Certificate “Green Address Bar” would be seen immediately.

Comodo's EV AUTO-Enhancer™ technology returns the EV SSL Certificate root in the handshake from your Web server. In combination with a change of the issuance date of the cross-certificate, this will force Microsoft® Windows XP and Vista to pull the root into the certificate store.

Is EV AUTO-Enhancer™ compatible with all types of Web server?

There are currently versions available for Apache and Microsoft® IIS Web servers. Others may be supported in the future. If you are using a web server other than Apache or Microsoft® IIS, you should deploy Comodo's EV Enhancer™, described below.

What is EV Enhancer™?

Comodo's EV Enhancer™ enables the new "Green Address Bar" browser indicator for EV SSL Certificates to be backward compatible with Microsoft® Internet Explorer 7 on Windows™ XP by installing a trusted Comodo Root Certificate. It should be used by companies deploying EV SSL Certificates on web servers other than Apache or Microsoft® IIS. (If you are using Apache or Microsoft® IIS we recommend you use Comodo's EV AUTO-Enhancer™ described at the top of this page.

How does EV Enhancer™ work?

In order for the "Green Address Bar' to be displayed for a secure website in Microsoft® Internet Explorer 7, the relevant Root Certificate must be present in the client's Trusted Root Certificate store and it must also have an EV Policy Object Identification (OID) associated with it. In Windows Vista, EV Policy OIDs are assigned automatically via the Automatic Root Update facility. However in Windows XP (the dominant Operating System in the market today), the Automatic Root Update facility is unable to assign EV Policy OIDs to "legacy" Root Certificates that are already present in the Microsoft Root Certificate Program. This behavior forces all Certificate Authorities to embed a new Root Certificate in the Microsoft Root Certificate Program that will have the applicable EV Policy OID assigned to it. The difficulty of installing the new root certificate on Windows XP is that new Root Certificates are distributed from Windows Update. Every week, Windows downloads a signed list of all roots in the root program. When Windows validates a certificate, Windows XP shows the following behavior:

1. Windows XP first tries to build a chain using certificates from the TLS/SSL protocol, in addition to the local certificate stores;
2. If Windows is unable to find a chain up to a self-signed certificate, Windows tries to download additional certificates using information in the certificate;
3. If a chain up to a self-signed certificate can not be found, Windows tries to find a match in the signed list of roots retrieved from Windows Update. If a match is found, the Root Certificate is then downloaded and installed silently.

In most cases Windows XP will find a legacy Root Certificate (for Comodo this is UTN and AddTrust), which will mean that at least one trusted certificate chain will be found during phase one and no new EV root will be installed. Therefore, it is not possible to use the Root Update Mechanism provided by Microsoft. To solve this problem, the website must trigger an TLS / SSL connection to a HTTPS URL that points to a certificate that is not cross signed and does not refer to a legacy Root and returns only the End Entity and Issuing CA certificates. This method will force Windows XP to validate a certificate chain where it must download the new EV root.

The figure below shows the process in more detail:

1. Consumer PC visits https://www.myEVsite.com and the web server returns the chain including the cross certificate to the user during TLS/SSL negotiation;
2. The website contains an EV Enhancer™ script to https://ev-enhancer.comodo.com;
3. The user makes a second TLS/SSL negotiation with ev.cadomain.com which returns a different End Entity certificate and no cross signed certificate;
4. Windows XP validates End Entity B and is unable to build a chain to a known self-signed certificate.

Based on the above scenario, the user will not see the "Green Address Bar" in Internet Explorer 7 until the second time she visits the site. This can be improved to be a first time visit if the home page of the website is not a HTTPS URL and the EV Enhancer™ technology is activated from a page leading up to the HTTPS EV SSL trusted page. The EV Enhancer™ downloads and installs the EV Root from Windows Update before the user enters the SSL connection. This requires your website administrator to add a link to an HTTPS "beacon" site on each entry page of your website.

What is SGC?

SGC is Server Gated Cryptography. It provides the ability for a certificate to 'up-rate' older browsers that are only capable of weak, 40-bit encryption to ultra-secure 128/256-bit encryption without the need to upgrade. It was introduced at a time when stringent United States encryption export laws would only allow browsers to encrypt 40-bit levels. Understandably, there are still millions of users that still use these older browsers. Websites wishing to offer the highest level of trust and 256-bit encrypted transactions to the widest possible customer base should consider EV SGC SSL Certificates.

Will I be able to upgrade my existing Comodo High Assurance SSL Certificate to get the "Green Address Bar" in my customer's Web browser?

Sure. Comodo can offer you a quick migration path from your existing High Assurance SSL Certificate to an EV SSL Certificate. After your reservation, you may have to submit additional documentation. The Comodo sales team will assist you throughout the process. So submit your contact information and we will contact you shortly. Alternatively, call US toll free: 1 888 266 6361 or from outside of the US: 1 703.581.6361.

Is my existing High Assurance SSL Certificate still sufficient for protecting online transactions?

All Comodo SSL Certificates will continue to provide security encryption to ensure that data being transferred between your Web site and your customer's Web browser can not be stolen. In addition your current High Assurance SSL Certificate will continue to provide identity assurance for your Web site.