­
Lock logo 70px
ExpeditedSSL - Fastest+Easiest Heroku SSL


Visual Security: Browser SSL Icons & Design

You may have noticed that the SSL indicator in your browser looks different on some sites than others. This is because SSL certificates are issued at different validation levels (essentially background checks of the organization requesting a SSL certficate).

VALIDATION LEVELS

Standard (Domain) Validation is easier and faster to obtain for a SSL certificate. Most commonly, an email containing an authorization link will be sent to an email address on the domain registration or that is one of the 'system' accounts for a domain, example: 'admin@example.com, postmaster@example.com'.

Extended Validation methods differ with each certificate provider, but each certificate authority must establish the legal identity, operation and physical location of the website owner, that the owner has exclusive control over the domain name. Additionally, to improve security, it is not possible to obtain an EV wildcard certificate.

WHICH TO USE

Bytes being transferred between a browser and a server aren't more secure with one or another, it's purely an indication of legal name standing and primarily an anti-phishing measure. Extended Validation certificates are substantially more expensive (10x) than standard certs, so unless your site is a target for phishing attacks or the cert would help with conversions, standard/domain certificates should be fine.

To help indicate this distinction in validation levels, browser makers represent the SSL validation level with different visual elements, screenshots below.


SSL Browser Screenshots

Mobile Chrome Android ICS

Identical presentation, no indication of Extended Validation.

Standard
Standard validation android ics chrome
Extended
Extended validation android ics chrome

Android ICS Browser

If you look closely at the certificate information for the standard valiation you will note that it is actually for Google and not the ExpeditedSSL site. This appears to be due to some bug in the stock Android browser.

Standard
Standard validation android ics ssl
Extended
Extended validation android ics ssl

iOS Mobile Safari

No indication of SSL for the the standard and just the company name displayed for the EV. This showing of only the company name and not the URL is another anti-phishing measure.

Standard
Standard validation mobile safari ssl
Extended
Extended validation mobile safari ssl

iOS Mobile Chrome

Identical presentation. No indication of Extended Validation.

Standard
Standard validation ios chrome
Extended
Extended validation ios chrome

Desktop Chrome

Extended Validation displays the compay name in a green box within the address bar along with a green lock icon. Standard has a less prominent green lock icon and just the protocol in green.

Standard
Standard validation desktop chrome ssl
Extended
Extended validation desktop chrome ssl

Desktop Safari

Only displays a subdued gray icon box for standard SSL. Extended is green with company name displayed.

Standard
Standard validation safari ssl
Extended
Extended validation safari ssl

Desktop Firefox

Very subtle gray lock icon. It is highly unlikely that a user will know that SSL is being used. Really not sure what the blue and green crossing guard icons represent.

Standard
Standard validation firefox ssl
Extended
Extended validation firefox ssl

IE 11 on Win 8.1

Probably the most dramatic of the browser differences, for the EV certificate the entire address bar is colored green.

Standard
Standard validation internet explorer 11 ssl
Extended
Extended validation internet explorer 11 ssl