Would you use a bank website if it did not have EV SSL?

[savar]

I've thinking for a while about switching my accounts from Bank of America and ING to a single, high-yield checking account from a regional bank.

I was on the site last night and just about to pull the trigger. When I got to the personal details page, it was asking for info like SSN, home address, etc. All expected, of course, to open a bank account, but what caught me by surprise was that the bank's "Secure" website was not using an EV SSL certificate. (It was using a standard SSL certificate.) I was pretty surprised -- I would think that EV SSL mandated for financial institutions by now.

Mint, BofA, and ING all use EV SSL, for example.

So my questions is, would you use a site if it had standard SSL and not EV SSL?

 

[Creative One]

Standard SSL is good enough for me, and hell, if a hacker can break that, they can go ahead and have the relatively small funds in my account.

 

[roadbloc]

What on earth is EV SSL?

 

[steve2112]

What on earth is EV SSL?

It stands for Extended Validation certificate. It's part of an attempt to help prevent phishing from fake sites with fake SSL certificates. It's fairly easy to get a standard SSL certificate, so the Certificate Authorities (like Verisign) came up with this standard. Basically, they do a more in-depth investigation of the certificate requester. The idea is that the requester has proven they are legit, and the CA verifies them. The EV certificate also shows up differently on the latest gen browsers. You'll see the address bar turn green when going to a site with an EV certificate.

 

[maflynn]

I've never heard of EV SSL, so the basic answer is yes, I would use a my bank website if it did not have EV SSL. Heck, I'm not even sure how to tell if they even use one.

If its used to phight phishing attempts, then as long as I'm sure I'm hitting the exact bank website, I should be ok. The extra security they (the bank) throws at you anyways seems to be ok. You know make sure that picture of the cute kitten you picked is actually showing up before entering your password.

Edit: never mind on not knowing how to check. I just viewed my bank's SSL cert and its an extended verification one.

 

[Nermal]

If I understand EV correctly, it's to ensure that the site is really run by who you think it is. Since I always go to my bank's site directly, I think I'm safe enough without it.

Having said that, my bank supports it.

 

[kainjow]

I've never heard of EV SSL but I just checked and my bank uses it. But now that I do know what it is, I'd probably say no, I wouldn't use a bank's site that didn't use EV SSL.

 

[bobr1952]

Hmm--that is news to me too. But the "green text in address bar" is a good way to check I suppose--I have noticed it on my bank site but never gave it much thought. I don't know how important it is but now that I know about this, I might wonder why a financial institution wasn't using it. Granted, I wouldn't care for a simple sales transaction but for secure banking, it would seem prudent to offer the best security available.

 

[savar]

If I understand EV correctly, it's to ensure that the site is really run by who you think it is. Since I always go to my bank's site directly, I think I'm safe enough without it.

Having said that, my bank supports it.

Thanks to everybody for the feedback. I guess I was over-reacting a bit.

The standard SSL cert is fine if you're confident that you went to the right address.

I'm the same as you -- I bookmark all sites and visit the bookmark rather than clicking links from external sources. In this scenario the standard SSL is just as good.

 

[miles01110]

Just because a site doesn't have it doesn't mean they won't have it in the future. ING is one of the better banks when it comes to security; I seem to remember reading something about them considering the "upgrade" but can't find it.

In any case, using better systems of trust and encrypted authentication are fine, but the general consensus in the security community is that the benefits for improving things like SSL are in steep diminishing returns. Attacks on encryption simply aren't very common these days.