EV SSL Certificates: The Security Equivalent of a Gold Toilet

3 hours ago

0 8 minutes read

EV SSL Certificates: The Security Equivalent of a Gold Toilet

If this was 2010, I’d tell you to buy an Extended Validation (EV) SSL certificate.

Back then, EV certificates turned the address bar green, displayed the company’s legal name in the URL bar, and showed a visible padlock confirming a site’s authenticity.

Screenshot of Thawte EV SSL certificate displayed in different browsers

But it’s not 2010. And EV SSLs are beyond dead now.

Today, paying for an SSL is like buying a gold toilet. Same outcome, a lot more expensive.

What EV Certificates Actually Did (and Why It Mattered)

The basic Domain Validation (DV) certificates you see today only verify a domain that you control. Anyone can get one of these certificates.

Extended Validation certificates require extensive business verification. Think legal documents, phone calls, address confirmation, and proof your company is real and operating.

The process can take days or weeks and involves human verification at every step.

The end result was your company name displayed in the browser like this example from Comodo (which is a major SSL certificate provider).

Side-by-side of browser UI before and after EV SSL visual changes — the company name and green bar are gone, replaced with a plain URL display.

But as you see now, even Comodo does not show any markers of an EV SSL.

What Makes EV SSL Certificates a Bad Choice Now?

The main thing that made EV certificates valuable was the visual indicators. And browsers were the driving force behind their removal.

The Shift That Killed EV Certificates

Sometime after 2015, SSL certificates became the standard for websites.

The padlock icon became more of an expectation than a trust signal.

To eliminate redundancy, Chrome removed the green color URL bar in 2018 and replaced the padlock icon with the tune icon in 2023. Firefox eliminated EV indicators in 2019, and other browsers followed suit.

Any website without a valid SSL certificate was marked as “Not Secure.”

People had to click “Advanced” and “Proceed to site anyway (unsafe)” before they could view such a website.

With that, the value proposition of EV SSL certificates evaporated. Yet, you still see companies selling them like nothing has changed!

Browsers Also Found that EV Doesn’t Help

The removal of visual cues wasn’t arbitrary. It was backed by researched.

The green URL bar would seem valuable in the close up screenshots.

But when Google’s security team studied whether the expensive verification provided real security benefits, they found that “the EV UI does not protect users as intended.”

Users don’t make different security decisions when EV indicators are present or absent. Mozilla reached similar conclusions after their own research.

The conclusion? Spending on EV certificates didn’t translate to better protection from actual threats, like phishing or malicious websites.

Majority of Users Never See EV Information Anymore

Once Chrome 77 and Firefox 70 were released somewhere in 2018, the last bit of EV information was hidden away as well.

Example of a valid SSL certificate in action — the browser confirms the connection is secure, often shown with a padlock icon.

The company name, the extended validation status, the verified business information — everything was put under the tune icon and required users to click to view certificate details.

So, the majority of users would never see the EV details that supposedly justified the premium pricing.

A Certificate’s a Certificate — All of Them Provide Identical Encryption

The job of an SSL certificate is to encrypt data traveling from a visitor’s browser to the company server. This ensures that bad actors cannot spy on the data.

Visual comparison of insecure (HTTP) vs secure (HTTPS) connections — showing how SSL certificates protect data in transit.

ANY SSL certificate can encrypt data the same way.

The encryption algorithms are identical: RSA-2048 for key exchange, SHA-256 for digital signatures, AES for symmetric encryption.

The browser establishes the exact same secure tunnel regardless of which certificate authority issued the certificate or how much you paid for it.

Whether you’re using a free SSL certificate or a $500 Extended Validation certificate, the actual security protecting your users’ data is exactly the same.

With EV certs, you’re only paying money for the extra paperwork with zero additional benefit.

What’s a Better Option in 2025 and Beyond?

Let’s Encrypt completely disrupted the SSL market by making certificates free, automated, and just as secure as expensive alternatives. Now, everyone with a domain could get an SSL certificate.

Let’s Encrypt Dominates the Market for a Reason

Let’s Encrypt, the free domain validation certificate provider, controls 63% of the entire SSL certificate market. The rest of the market is shared between other DV and EV SSL providers.

The company issued over a billion certificates by 2020.

Steady rise in SSL adoption: This chart highlights the explosive growth in SSL certificates issued daily by Let's Encrypt from 2016 to 2025. — Source

And now Let’s Encrypt issues over 7 million new certificates per day.

Automation Is Better Than Manual Processes

While the SSL industry sold expensive certificates with manual verification processes that took days or weeks, Let’s Encrypt introduced automation and efficiency.

The ACME protocol allows certificates to be issued, installed, and renewed without human intervention, often in minutes vs. days.

This automation ensured security along with convenience. SSL certifying authorities (CA) could now use shorter lived certificates (for example, 90 days).

Even if an attacker gains access to a CA’s private key (the key that tells a browser it’s a valid certificate), it’ll only be valid for 90 days, after which a new key is generated and the previous keys are deemed invalid.

If 90 days sounds like a lot, SSL providers are already taking steps to reduce it further.

Short Lifespans Make Manual Verification Almost Impossible

The SSL industry is moving toward even shorter certificate validity periods.

The maximum lifespan is expected to be 200 days by 2026, 100 days by 2027, and 47 days by 2029.

Imagine going through EV’s manual verification process — with legal documents, phone calls, and business verification — every 47 days. The administrative overhead alone would be crushing, making them no longer worth it.

That probably explains why there are only 21,000 websites with an EV certificate in 2025.

Domain Validation (DV) Certificates Are Usually All You Need

Domain Validation certificates (whether free or paid) offer several advantages over expensive EV certificates.

Identical encryption: Your users get the same security
Automatic renewal: No risk of expiration outages
Faster deployment: Minutes instead of days or weeks
No administrative overhead: No paperwork, phone calls, or business verification
Future-proof: Designed for the shorter certificate lifespans coming in 2029

Free DV SSL certificates like Let’s Encrypt and CloudFlare provide the same level of protection as other certificates. If that’s all you need, go with a free certificate.

For large organizations or e-commerce businesses that need customer support, longer expiry dates, and security seals for building trust, a professionally signed DV SSL certificate makes sense.

Do Big Companies Use EV Certificates and Does Anyone Actually Need Them?

If EV certificates were truly necessary for security and trust, you’d expect the biggest companies to use them.

They don’t.

Even Amazon, Netflix, and Walmart Use Free Certificates

Troy Hunt, the creator of Have I Been Pwned shared a tweet when Chrome first started experimenting with removing the EV indicator from the browser in the first half of 2018.

This tweet underscores the decline of EV SSL visibility—Chrome's shift away from showing organization names in the address bar signals a broader move toward simplified, padlock-only indicators. — Source

Amazon, Netflix, Walmart, eBay, Target, Best Buy: enterprises with unlimited security budgets, teams of experts, and millions of customers entering sensitive information daily — they’re all running standard Domain Validation certificates.

When Shopify and Amazon process billions in transactions using free SSL certificates, what exactly are EV certificate vendors claiming to protect you from that a free certificate can’t?

These companies aren’t cutting corners on security. They’re simply using certificates that provide the exact same encryption without the unnecessary documentation overhead and costs.

Does It Make Financial Sense To Pay for EV Certificates?

The economics of EV certificates don’t add up when you look at what you’re actually getting.

You’re Paying for Industry Self-Interest

The Certificate Authority Browser Forum sets industry standards, but it’s essentially a coalition of certificate providers making rules to sell more expensive certificates.

A redditor who claimed to have worked for a certificate authority answered the question: “What’s the point of high-end SSL certificates?”

They stated that there’s no difference between a high-end SSL vs. a regular one. It’s just a way for certifying authorities to sell you more certificates.

This Reddit comment highlights a growing skepticism: many view SSL certificates—especially premium ones—as more about profit than protection, with little practical difference in security.

This creates obvious conflicts of interest when the same companies selling expensive certificates are writing the rules about when expensive certificates are “necessary.”

Those Million-Dollar Warranties Are Marketing Gimmicks

EV certificates come with warranties, usually between $10,000 and $2 million, depending on the certificate type. These warranties supposedly protect you if the certificate authority makes mistakes that lead to security breaches.

But according to experts like Troy Hunt, these warranties have been marketing gimmicks all along.

Scott Helme, the founder of Report URI, also mentioned three scenarios covered by these warranties.

Statement of Scott Helme, the founder of Report URI, regarding certificate warranties

But none of these scenarios actually lead to you getting a claim. For one, a certificate cannot be issued without valid information, so the first item is immediately disqualified. The second and third are similarly baseless.

I’d recommend reading through Scott’s article as well as Troy’s article to get a clearer understanding of why I, too, am calling these marketing gimmicks.

Do You Ever Need an EV Certificate Then?

Despite everything we’ve talked about above, EV certificates do have some use.

Here are a few specific situations where you’d need to fall back on EV certificates.

Financial institutions under strict regulatory requirements: Some compliance frameworks, like PCI DSS or specific banking regulations, mandate EV certificates. If your regulator requires it, you don’t have a choice.
Legacy IT appliances: Some older systems, particularly enterprise hardware from the early 2000s, don’t recognize Let’s Encrypt’s root certificates. This is increasingly rare as old systems get replaced.
Enterprise policies requiring specific certificate types: Some large corporations have internal policies mandating EV certificates for public-facing sites. This is usually more about corporate risk management than actual security.
Code signing and document signing: Let’s Encrypt only issues DV certificates. If you’re signing software downloads or documents, you’ll need certificates from traditional certificate authorities.

For the vast majority of websites like blogs, e-commerce stores, SaaS applications, marketing sites, and most business websites, an EV certificate provides no meaningful benefit over free alternatives.

Should You Just Get Free Certificates and Move On?

In my opinion, the answer is a resounding YES. In fact, for 99% of websites, the answer is yes.

Here’s why:

The Market Has Already Decided

Domain Validation certificates make up the majority of the market.

Pie chart showing most SSL usage comes from default or free options like Let's Encrypt, with paid certs making up a small slice.

According to BuiltWith, there are over 258 million SSL certificates on the internet as of June 2025. The majority are free, automated, and provide excellent security.

Note: You will notice SSL By Default has the largest share here. However, Let’s Encrypt also sells SSL By Default certificates. So, even though it’s shown separately, I’d consider them as a single entity.

Invest Your Money in Security That Actually Matters

The time and money you save can go toward security measures that actually matter: better hosting infrastructure, security monitoring, regular backups, web application firewalls, or penetration testing.

Most hosting providers — like DreamHost — now offer one-click Let’s Encrypt integration. If yours doesn’t, it might be time to find a hosting provider that understands it’s 2025, not 2010.

Stop Overthinking It, a DV SSL Is All You Need

Extended Validation certificates are expensive solutions to problems that can mostly be solved for free. I’m not referring to the highly regulated industries which need EV SSLs — for the rest of the world, a DV SSL should suffice.

The encryption is identical, browsers killed the visual indicators, and even the largest companies don’t use them.

Here’s what you should actually do:

Log into your hosting control panel
Enable free SSL with one click
You’re done!

Your users get the same encryption that protects Amazon and Shopify.

If your host doesn’t offer a free SSL, you need to move to a hosting provider like DreamHost that does!

Save your money for security that actually matters: backups, monitoring, or a web application firewall.

Those will protect your website far better than paying hundreds annually for premium paperwork.

If you’d rather hand the technicalities over to a professional, we’ve got you covered with our professional website management services!

Pro Services – Website Management

Website Management Made Easy

Let us handle the backend — we’ll manage and monitor your website so it’s safe, secure, and always up.

Learn More

3 hours ago

0 8 minutes read

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

EV SSL Certificates: The Security Equivalent of a Gold Toilet

What EV Certificates Actually Did (and Why It Mattered)