Here is an article from NetworkWorld claiming that an online travel agency in Australia has improved their sales completion rate by deploying Extended Validation (EV) certificates. Our research, on the other hand, shows that users typically do not even look at the area of the browser where certificate information is shown (we used an eye tracker), and have a great deal of difficulty understanding the information if they do look. We also find that the introduction of EV certificates makes the usability worse and security decisions harder. This seems like a thinly veiled advertisement for VeriSign’s products. Buyer beware.
Online travel takes off with EV SSL security
“Since implementing VeriSign’s EV SSL Certificates, our online sales have really taken off. We have experienced greater conversion rates, a reduced rate of booking abandonment and a noticeable drop in customer concerns relating to security issues,” Lynch said.
While the article you cite is likely an advertisement or PR release of some kind, I’m wondering if you could further explain this statement:
“We also find that the introduction of EV certificates makes the usability worse and security decisions harder.”
Doesn’t EV SSL have only negligible effects on functionality if implemented properly? And I guess that you mean it makes security decisions harder in the sense that users have a hard time understanding what it means, but it seems like at least most folks are familiar with either the ordinary SSL padlock or the green url bar (also, if EV SSL doesn’t inform security decisions, does regular SSL? If not, what would the alternative be?).
Just curious because my experience runs contrary to yours, and I haven’t heard from many with negative data — would be helpful to bear in mind.
Joe;
Thanks for the comments. The research I was refering to can be found at
http://www.scs.carleton.ca/research/tech_reports/index.php?Abstract=tr-09-02_0023&Year=2009
and
http://www.andrewpatrick.ca/wp-content/uploads/ESORICS2008.pdf
and
http://www.scs.carleton.ca/research/tech_reports/index.php?Abstract=tr-09-06_0027&Year=2009
What we argue is that EV SSL introduces a third type of certificate (along with self-signed and basic) to a situation where people do not use or understand what already exists. Our eye-tracking study found that most people don’t even look at the lock icon or URL bar when making security decisions and, if they do, they don’t understand what they are seeing. So we question whether introducing EV SSL simply makes the situation more confusing rather than helping. I would argue that SSL does not inform security decisions.
In our research we have tested some alternatives to the lock icon (a 3-light progressive confidence indicator) and new wordings for the descriptions of the certificates. We think that separating identity and encryption are crucial for improving SSL interfaces, and we offer some suggestions for doing that. The results show that this makes things better, but there is still a long way to go. We are left wondering if the fundamental concept behind SSL is so broken that we should be thinking about developing something else.
Thanks much for clarifying, Andrew, and your data is indeed both interesting and important to note, since the success of EV is more or less dependent on whether or not customers recognize it. I’m not sure that the “fundamental concept behind SSL is so broken,” though — the technology does what it’s supposed to do (ie, secure communications between two points and verify the identity of a website). It was never technically intended for anything beyond that. The problem, perhaps, is that more people need to be educated as to how this technology works and how to tell that it’s doing what it does — a different but equally important matter that you offer some good points on.
Just idle speculation that doesn’t intend to argue against the necessity for improvement: I wonder if some of these issues will slowly evaporate once the next generation of web users comes of age with these technologies around them?