Where’s your extended validation?

Recently, I went through the trouble and expense of getting allpar.com an “extended validation” secure-server certificate. That means if you’re in one of our pages, and you typed in the address as https://www.allpar.com rather than just http://www.allpar.com (it’s usually that way on the forums), you should see this:

It means that when you look at Allpar, it’s through a secure connection, and that the certificate that makes it secure was acquired by Allpar itself, not a pretender. That’s very handy.

Suppose I go to Chase bank. I see in the green area, “JP Morgan Chase and Co.” I know it’s them and not a clever phishing site with a similar name or some hidden character trick.

Anyone can get a normal lock on their site — domain-validated SSL certificates have no serious checks, they just look at whether you control the domain or not.  Extended validation means someone checked to make sure you are who you say you are. It includes a phone number to your phone of public record.

My local bank, of course, uses the old style domain validation that means nothing other than “you’re working on a secure connection to someone. We don’t know who.” Delta Airlines uses the old style as they collect your sensitive information.

Just about everyone in business and government should use extended validation. Is your company doing it? Why not?