Would you use a bank website if it did not have EV SSL?

Discussion in 'Apple, Inc and Tech Industry' started by savar, Feb 22, 2010.

  1. savar macrumors 68000


    Jun 6, 2003
    District of Columbia
    I've thinking for a while about switching my accounts from Bank of America and ING to a single, high-yield checking account from a regional bank.

    I was on the site last night and just about to pull the trigger. When I got to the personal details page, it was asking for info like SSN, home address, etc. All expected, of course, to open a bank account, but what caught me by surprise was that the bank's "Secure" website was not using an EV SSL certificate. (It was using a standard SSL certificate.) I was pretty surprised -- I would think that EV SSL mandated for financial institutions by now.

    Mint, BofA, and ING all use EV SSL, for example.

    So my questions is, would you use a site if it had standard SSL and not EV SSL?
  2. Creative One macrumors 6502

    Creative One

    Apr 25, 2009
    Standard SSL is good enough for me, and hell, if a hacker can break that, they can go ahead and have the relatively small funds in my account.
  3. roadbloc macrumors G3


    Aug 24, 2009
  4. steve2112 macrumors 68040


    Feb 20, 2009
    East of Lyra, Northwest of Pegasus
    It stands for Extended Validation certificate. It's part of an attempt to help prevent phishing from fake sites with fake SSL certificates. It's fairly easy to get a standard SSL certificate, so the Certificate Authorities (like Verisign) came up with this standard. Basically, they do a more in-depth investigation of the certificate requester. The idea is that the requester has proven they are legit, and the CA verifies them. The EV certificate also shows up differently on the latest gen browsers. You'll see the address bar turn green when going to a site with an EV certificate.
  5. maflynn Moderator


    Staff Member

    May 3, 2009
    I've never heard of EV SSL, so the basic answer is yes, I would use a my bank website if it did not have EV SSL. Heck, I'm not even sure how to tell if they even use one.

    If its used to phight phishing attempts, then as long as I'm sure I'm hitting the exact bank website, I should be ok. The extra security they (the bank) throws at you anyways seems to be ok. You know make sure that picture of the cute kitten you picked is actually showing up before entering your password.

    Edit: never mind on not knowing how to check. I just viewed my bank's SSL cert and its an extended verification one.
  6. Nermal Moderator


    Staff Member

    Dec 7, 2002
    New Zealand
    If I understand EV correctly, it's to ensure that the site is really run by who you think it is. Since I always go to my bank's site directly, I think I'm safe enough without it.

    Having said that, my bank supports it.
  7. kainjow Moderator emeritus


    Jun 15, 2000
    I've never heard of EV SSL but I just checked and my bank uses it. But now that I do know what it is, I'd probably say no, I wouldn't use a bank's site that didn't use EV SSL.
  8. bobr1952 macrumors 68020


    Jan 21, 2008
    Melbourne, FL
    Hmm--that is news to me too. But the "green text in address bar" is a good way to check I suppose--I have noticed it on my bank site but never gave it much thought. I don't know how important it is but now that I know about this, I might wonder why a financial institution wasn't using it. Granted, I wouldn't care for a simple sales transaction but for secure banking, it would seem prudent to offer the best security available.
  9. savar thread starter macrumors 68000


    Jun 6, 2003
    District of Columbia
    Thanks to everybody for the feedback. I guess I was over-reacting a bit.

    The standard SSL cert is fine if you're confident that you went to the right address.

    I'm the same as you -- I bookmark all sites and visit the bookmark rather than clicking links from external sources. In this scenario the standard SSL is just as good.
  10. miles01110 macrumors Core


    Jul 24, 2006
    The Ivory Tower (I'm not coming down)
    Just because a site doesn't have it doesn't mean they won't have it in the future. ING is one of the better banks when it comes to security; I seem to remember reading something about them considering the "upgrade" but can't find it.

    In any case, using better systems of trust and encrypted authentication are fine, but the general consensus in the security community is that the benefits for improving things like SSL are in steep diminishing returns. Attacks on encryption simply aren't very common these days.

Share This Page