Can you tell the difference between the two images below (beyond the fact that they're different websites)?
Do you see where Twitter has 'Twitter, Inc [US]' next to the green padlock and Google only has 'Secure'? That means Twitter is using an EV or Extended Validation certificate, whereas Google is only using a DV or Domain Validation certificate. I've only vaguely noticed that certain HTTPS sites have worded other than 'Secure' next to the green padlock and it wasn't until I read Troy Hunt's blog, On The (Perceived) Value of EV Certs, Commercial CAs, Phishing and Let's Encrypt, that I knew what that meant.
I won't rehash everything he said because he covered everything really well. You should read it if you have the time. However, there's a quote from his blog posts that sums everything up perfectly.
"Whilst DV certs give us assurance that we're communicating with the domain we think we are, it's EV certs which give us confidence we're communicating with the organisation we think we are."
Domain Validation certificates require the certificate requester to prove that they own the site they're acquiring the certificate for, which isn't difficult to do. The purpose of an EV cert is to provide an extra layer of confidence. Someone could easily acquire a DV cert for a phishing site, but an EV certificate requires proof that they are the organization they're claiming to be.In fact, a human auditor has to perform an independent review of a site before an EV cert can be issued. I cannot just buy a domain, run a Paypal phishing site, and acquire an EV cert that says I'm Paypal.
What does this mean to you? Maybe nothing. It was mentioned that we, security professionals, should begin to change the way we condition our users. So that instead of inherently trusting the green padlock, we train users to recognize the difference between EV and DV certificates and change behaviors based on that. That isn't necessarily plausible at the moment since many top 100 Alexa sites forego EV certs (i.e. Google). But it is possible to begin to pay attention when we see an EV cert for a HTTPS site and change behaviors when we no longer see that cert.
For example, Bank of America has an EV cert and I've always subconsciously known that because it was the first time I wondered why the organization name was next to the green padlock. If that were to suddenly change one day, I'd immediately become suspicious.
So, will you begin to look out for these two types of certs now? Did you know about EV and DV certs before or is this your first time hearing about it too?