Verify that a web site you are visiting is who it claims to be. Look for a distinctive color in the address bar of your browser. Green means go! If you see green, the web site has an EV Cert and it’s encrypted.
An example of this can be seen at Cornell’s CUWebLogin page; to see for yourself, visit any campus service that uses CUWebLogin for authentication, such as the Employee Essentials page. Cornell’s CUWebLogin page always displays the official Cornell University EV Cert. Click on the certificate name “Cornell University (US)” to view additional info about the certificate.
Firefox’s display of Cornell’s EV Certificate
Internet Explorer’s display of Cornell’s EV Certificate
Green EV Certs are more reliable, because a certificate authority has to verify a web site’s identity, before an EV Cert will be issued.
“Why are EV Certs more trustworthy?”
Bad guys are good at what they do, so they might create a site called cc.cornell.edu.rr.login, using Cornell’s name in the URL and even encrypting the site (thereby showing the color blue, a padlock, or https in the address bar). But a fraudster can’t actually prove a real affiliation with Cornell, so getting an EV Cert for a cornell.edu site should be impossible.
EV Certs are harder to fake. When you navigate your browser to a web site that has had its identity verified by a Certificate Authority, such as Verisign or Geotrust, the green color displays in your address bar and you can feel more assured about the trustworthiness of the site.
See www.cabforum.org for a list of extended validation guidelines (steps required before a certificate authority issues an EV Cert), and a current list of Certificate Authority Browser Forum members.
Other clues to look for in your address bar:
Yellow or red (sometimes accompanied by warning popup windows) – be very cautious. Something in the web site’s certificate doesn’t match up; it’s possible that it expired, or the web site you are visiting has been flagged as a risk.
A lack of color – the web site is not encrypted. Look for encryption, and valid certs, on sites where you type your credit card numbers or other confidential information that could put you at risk of identity theft.
A blue cert, a padlock, or https – the web site has a Secure Socket Layer (SSL) Certificate, which only ensures it’s encrypted. Anyone (including fraudsters) can get an SSL Cert to encrypt their web site. That said, regular SSL Certs aren’t bad, they just carry a higher risk than sites using EV Certs.
