Thawte EV Whitepaper CH

8/12/2019 Thawte EV Whitepaper CH

1/15

The Truth About Online Trust

Building Trust Standards on the Web

WHITE PAPER 2013


2/15

p. 2



The Trust Equation 3 - 4

Summary of Research 4 - 5

Trust Matters For Some More than Others 6

What are the Signs of Trust? 7 - 8

When is Trust Most Important? 9

Not All SSL is Created Equal 10

UK: Big on Trust and Building Trust 11

Germany: Realistic and Pragmatic on Trust 12

France: No Problems Here 13

EV Authentication: Boosting Trust on the Web 14

References 15

CONTENTS

Protect your data, safeguard your business, and translate trust to your customers with high-assurance digital

security certicates from Thawte, the worlds rst international specialist in online security. Backed by a

17-year track record of stability and reliability, a proven infrastructure, and worldclass customer support,

Thawte is the international partner of choice for businesses worldwide.


3/15

p. 3



Trust is a fundamental currency

on the web. In a virtual world,

where you never know for sure

who is controlling the website

you are viewing or consumingthe information you are sharing,

meaningful interaction is

impossible without high levels of

trust Increasingly, as cybercriminals

have become more sophisticated

in setting up spoof phishing sites

to fool users into handing over

personal details and passwords,sites need more than standard

certicates to engender trust.

Thawte commissioned a survey aimed at establishing

how trustworthy IT managers in three European

countries believe their websites to be. This paper

reports the ndings of the survey and raises some

additional questions around building trust for website

owners and managers.

At one level, building trust is a simple balanced

equation: higher levels of trust on one side = more

trusting users willing to complete interactions and

transactions on the other. A lessening of trust on

one side of the equation such as a leaking of user

details leads to a lessening of what users are

prepared to do or complete on the other.

The survey went on to ask what IT managers

perceptions are of the level of trust they require,

and at what point that trust is most critical. The survey

also wanted to discover what impact trust indicators

such as Extended Validation (EV) SSL certicates

had on this perception.

Finally, this paper asks whether IT managers are

making the most of the opportunity to engender

trust and cultivate loyal customers, to build online

interactions and to boost online business.

The survey questioned 150 IT professionals in all

sizes of business and across all industry sectors

including education, healthcare, government, retail,

business services, travel & leisure and nance.

One third of the respondents were in the UK, a third

in Germany and a third in France, and the majoritywere either decision makers or inuencers.

While there were low adoption levels of EV, and low

awareness of what it was all about, those who have

embraced it believe their websites are rated more

trustworthy than those of their peers. One in ve

participants in the UK, and 13% overall, recognised

the need for websites to have more than standard SSL.

However, the survey also demonstrated the trust

conundrum while more than half of participants

rated their websites as highly trustworthy, nearly two

thirds of this group, employed no trust indicators at all.

ThE TruST EquaTiON


4/15

p. 4



ThE TruST EquaTiON

Summary Of rESEarCh

Wt ndctos do o ve tt cstoes tst o webste?

Soe onstons tnk te cstoes need oe tn stndd SSL -

bt not n fnce

TOTAL UK DE FR

Traffic

volumes

REPEAT

VISITS

WILLINGNESS

TO SHARE PERSONAL DETAILS

WILLINGNESS TO

COMPLETE TRANSACTIONS

NO INDICATORS / NONE

NOT APPLICABLE / NOT SURE

27%

23%8% 5% 49%

26%

30% 12% 8%

38%

25%

18% 8%

6% 65%

30%

20%

4%

0%

46%

NO - 80%

YES - 20%

NO - 82%

YES - 18%

NO - 100%

YES - 0%

UK DE FR


5/15

p. 5



mn beleve ts otnt tt

te vldt o cetctes s

cecked n el te.

Wt ndctos do o ve tt cstoes tst o webste?

Onstons tnk te e

tstwot - bt cnnot nt

w te tnk ts.

Not trustworthy Highly trustworthy

Fr

UKTotal

DE

1 5 37 57

Traffic

volumes

REPEAT

VISITS

WILLINGNESS

TO SHARE

PERSONAL DETAILS

WILLINGNESS TO

COMPLETE

TRANSACTIONS



27% 23% 8% 5% 49%

how tstwot do cstoesconsde webstes to be?


6/15

p. 6



Traditional SSL has, for many years, provided website

visitors with the assurance that their interaction witha website is secure. The lock icon that appears when

an SSL connection has been created between host

and client machine, and the https URL address,

shows that when information such as user names

and passwords is exchanged, it is encrypted and only

accessible by the website owner.

However, the limitations of traditional SSL

authentication are beginning to be exposed. For a

start, traditional SSL certicates only validate the

website domain name and conrms that it belongs tothe stated owner. This means consumers could

have the assurance of SSL encryption but still be

visiting a compromised site.

Secondly, some certicate authorities will provide SSL

certicates without checking the authenticity of

the organisation behind the website and whether

it is a legitimate business entity worthy of trust.

Cybercriminals could therefore set up a counterfeit

site, and obtain an SSL certicate for it, and dupe

consumers into handing over personal details, whilestill being genuine website owners.

Thirdly, some cybercriminals have SSL certicates

which are self-signed, with both public and privatekeys owned by them. This discrepancy and others

would be highlighted by any modern browser but

many users would not be aware of the problem.

Our survey found that one in ve respondents in the

UK, and 13% overall, believe their customers now

need more than standard SSL to feel comfortable

completing transactions. The trend was particularly

pronounced in the education, retail and travel

sectors, where the integrity of transactions is most

pronounced. Equally, these organisations alsobelieved the trustworthiness of their website was

most important at registration, a key point when

trustworthiness is questioned, as outlined in the

Trusting Times section of this paper.

For organisations that want to demonstrate to their

users that their websites provide more than standard

levels of security, Extended Validation (EV) can

provide a compelling option.

TruST maTTErS fOr SOmE mOrE ThaN OThErS

NO - 87%

YES - 13%

NO - 80%

YES - 20%

UK TOTAL

Do cstoes need oe tn stndd SSL cetctes to eel cootble

coletn tnsctons?


7/15

p. 7



According to our survey, most organisations think their customers

consider their website to be reasonably or highly trustworthy but

signicantly, few can quantify their reasons for thinking this, and nearly

two thirds of this group are doing nothing to help build trust with users.

So are they right to be so condent about their customers experience?

Over half of participants (57%) think customers

consider their website to be highly trustworthy, while

an additional 37% think customers consider their

site trustworthy. That leaves just 6% thinking their

customers consider their site less than trustworthy,

and just 1% (2 people) untrustworthy.

Different industry sectors have different sensitivities.

Education has the lowest levels of trust and is the

most cost-sensitive sector. Healthcare considers

its sites highly trustworthy but also has fewer trust

indicators, such as SSL, trust seals or EV.

Whether consumers share these organisations

assertions around trust is a moot point all the signssuggest that they are looking for further reassurances.

Nearly half (49%) of survey respondents admit

that they have no reason to think customers trust

their website. Just over a quarter (27%) cite trafc

volumes, and 23% repeat visits, while only a handful

bring up willingness to share personal details or

complete transactions as evidence their customers

trust their website.

Unfortunately, organisations not only appear to be

overcondent about their users perceptions of trust they are also doing little to engender these feelings of

trust. While nearly a third (31%) use SSL certicates,

only 8% have trust seals and 5% use Extended

Validation SSL certicates.

A staggering 61% of respondents had no trust

indicators at all, which means they are making no

efforts to build trust with users of their website, and a

standout 64% of those who considered their sites to

be highly trustworthy had no trust indicators.

WhaT arE ThE SigNS Of TruST?

how tstwot do cstoes

consde webstes to be?


1 5 37 57

Wt ndctos do o ve ttcstoes tst o webste?

Traffic

volumes

REPEAT

VISITS

WILLINGNESS

TO SHARE

PERSONAL DETAILS

WILLINGNESS TO

COMPLETE

TRANSACTIONS



27% 23% 8% 5% 49%


8/15

p. 8



Organisations may appear blas

about the trustworthiness of

their websites, but from a user

perspective there are certain types

of websites that inspire high levels

of trust and key moments in the

interaction lifecycle when that trust

is challenged.

A user browsing the web for information, for example,

is likely to navigate to a site that has a high level of

trust attached to it, rather than a site that they have

little previous experience of, or low credibility attached

to the brand. Similarly, users looking to complete

transactions on sites will look for signs of trust, and

will question the authenticity of sites at key moments.

More than half (54%) of participants believe

trustworthiness of their site is important at all times,

but nearly a third (32%) singled out registration as a

key moment for trust, and more than one in ten (11%)

pointed to checkout.

Trust is important for all websites, but some IT

managers just require basic encryption to protect user

names and passwords while others handling sensitive

personal information need stronger encryption and

in-depth site owner verication.

Not surprisingly, retail and nance industries consider

trustworthiness most important at registration and

checkout. Websites that are able to offer varying trust

indicators are best suited to the expectations of users.

At these points, its critical website owners do their

utmost to engender trust so users carry through

their registrationsor transactions, rather than

getting cold feet and leaving the process mid-

way through. Incomplete processes are the worst

from an organisations perspective because it has

invested the time and effort to push the user down a

particular channel and that user is either lost, or the

organisation has to commence the transaction again

through another channel.

WhEN iS TruST mOST impOrTaNT?

At the registration

process

At checkoutWhen advertising pops up

At all times/

All of the above

32%

11%

54%

3%

When is the trust

worthiness of a website

most important?


9/15

p. 9



As the foundation of trust on the web, its critical that SSL certicates and

their issuing certicate authorities (CAs) are beyond reproach.

However, not all certicates are created equal, nor

do all CAs exercise the same rigour when issuing

certicates. As websites needs have become clearer,

a new class of authentication - Extended Validation

(EV) has been put forward to provide an extra layer

of protection.

When asked what is or would be most important

when sourcing SSL certicates, aside from the

obvious concern around cost (27%), the critical

thing organisations are looking for is ease of

use (22%), clearly ahead of brand (15%), visitors

perception (13%), and the provision of

value-added services (8%).

Separately, participants were asked how important it

was that the validity of SSL certicates was checked

in real-time and more than three quarters (76%) of

organisations surveyed thought it was important or

very important.

Cost-effective Extended Validation (EV) meets both

the requirement for improved trust standards, ease

of use and realtime checking. A set of guidelines

developed by the Certicate Authority/Browser Forum

(CA/B Forum)1, EV effectively raises the bar for the

standard of certicate being provided.

CAs go through a rigorous audit to ensure they

follow guidelines on business verication practices

including a 13-step analysis on the business behind

the website.

Tese stes nclde:

Verifying the existence of the organisation and that

its identity matches ofcial records

Verifying the organisation has exclusive rights to

use the domain

Conrming the contact in the EV SSL request

Verifying the order

When visiting a site with EV SSL, the address bar

turns green and the certicate authority that provided

the certicate is highlighted. This simplies the

identication of an EV certicates presence and

conrms that it was provided by a credible source.

EV also allows real-time certicate validity checking;

if the certicate is no longer valid, the bar will not

turn green.

NOT aLL SSL iS CrEaTED EquaL

COST EASE OF USE BRAND VISITOR / CUSTOMER

PERCEPTION

VALUE-ADDED

SERVICES

27%22%

15% 13%8%

Wt s ost

otnt wen

socn SSL

cetctes?


10/15

p. 10



The UK appears to be a relatively sophisticated market both in the trust

measures that already exist and in its efforts to boost trust standards on

websites. But in order to meet best practice, organisations need to be

prepared to invest more.

The UK has the highest average rating for how

trustworthy organisations believe their customers

consider their websites to be (3.52 out of 4). Over

three quarters of respondents (78%) rated them

highly trustworthy compared to an average across

all markets of 57%. A further 14% considered them

fairly trustworthy.

Is the UK justied in this assessment? Compared

to other markets, its adoption of trust indicators

is no better than average. When asked what trustindicators they have on their websites, more than

half of participants (56%) have nothing, compared to

an average across all markets of 61%. However, the

presence of SSL certicates was slightly down on the

average with just 30% adoption, only one inten had

trust seals, and 6% EV authentication.

Balanced against this, the UK felt the highest need

for EV, with one in ve (20%) acknowledging that

customers need more than standard SSL certicates

to feel comfortable completing transactions with theirsite. This compares to an average rating of 13% (and

no participants agreeing in France).

The UK also has the most organisations aware of the

CA/B Forum, with an approximate 40-60 split between

those who are familiar with the Forum behind the EV

guidelines for SSL certicates and those who arent.

This market is clearly highly sensitive to trust issues

and mature in its appreciation of what is required to

build trust. The fact that it was also the market that

ranked cost as its standout concern (for 40%) when

sourcing SSL certicates might explain why this

appreciation has not led to greater adoption. Clearly

the UK needs to step up to the challenge and put its

money where its mouth is.

uK: Big ON TruST aND BuiLDiNg TruST

Te uK d te est veetn o ow tstwot

onstons consdeed te

webstes to be.


2 6 14 78


11/15

p. 11



gen d te est ecente ctn no eson to tnk te

webstes wee tsted

Organisations in the German market, in stark contrast to the UK and

France, have a realistic appreciation of the trust that their customers put

in their websites, together with a pragmatic approach to what they need

to do to improve that trust.

Germany has the lowest average rating for how

trustworthy organisations thought their customers

considered their websites to be, at 3.41 out of 4. Less

than half (45%) of respondents rated themselves

highly trustworthy, with the majority (51%) plumping

for fairly trustworthy.

Germany also has the most participants citing

no reason to consider their sites trusted, with astaggering 65% able to give no reason why they

thought customers might trust their website. Given

their low self-assessment, German organisations

could clearly do more to evaluate perceptions of trust.

Nonetheless, Germany shows an average adoption

of trust measures with nearly a third adopting SSL

certicates (32%), 12% trust seals and marks, and a

number of companies (8%) with Extended Validation

(EV) authentication.

What stands out in the German market, compared to

the other two countries, is its enlightened attitude to

the value provided by SSL certicates. More than a

third (34%) cited ease of use as the most important

thing when sourcing SSL certicates, followed by

visitor perception (18%) and then brand (14%). This is

almost the opposite of the other markets, where cost

was always ranked top and visitor perception rarely

featured.

A relatively high percentage (18%) agreed thatcustomers need more than standard SSL certicates

to feel comfortable completing transactions with their

site, and more than a third (34%) were familiar with

the CA/B Forum and how it relates to SSL certicates.

Of these, more than three quarters agreed that it was

very important that a standard for SSL certicates be

agreed between CAs and browser manufacturers.

German organisations are clearly aware of the issues

surrounding trust on their websites and they know

they need to improve. Standards such as EV mayhold the key to take the market to the next level.

gErmaNy: rEaLiSTiC aND pragmaTiCON TruST

Traffic

volumes

REPEAT

VISITS

WILLINGNESS

TO SHARE

PERSONAL DETAILS

WILLINGNESS TO

COMPLETE

TRANSACTIONS



25% 18% 8% 6% 65%


12/15

p. 12



fraNCE: NO prOBLEmS hErE

Organisations in France appear in denial about both their current

evaluation of trust, and the measures they need to put in place to

improve trust standards with customers looking to complete interactions

with their websites.

Only half of organisations (50%) considered that their

customers thought their sites to be highly trustworthy

in France, and this was no surprise as the market

has the lowest adoption of added generators of trust

such as trust seals (2% - 1 respondent) and Extended

Validation (EV) SSL certicates (2% - 1 respondent).

More than two thirds (68%) have no trust indicatorson their websites, while 30% have SSL certicates.

In line with other markets, nearly half of the

organisations surveyed (46%) have no indicators

that their customers trusted their websites. However,

French respondents jump out in that 68% considered

the trustworthiness of their websites most important at

all times.

The French market is not particularly price sensitive -

30% considered price most important when sourcingSSL certicates compared with 40% in the UK and

27% overall. But brand was more important than other

markets, with 26% rating it most important.

The standout gure for France was that no

organisations surveyed considered that their

customers needed more than standard SSL to

feel comfortable completing transactions with theirwebsite. This compared with 13% overall and 20%

(10 respondents) in the UK. This is clearly down to

awareness, as only 8% (4 respondents) were familiar

with the CA/B Forum the organisation that agreed

the guidelines for awarding EV SSL certicates.

Organisations in France clearly need to step up to the

mark or risk falling behind other countries in building

trust standards on their websites. The fact that so few

were familiar with the benets of the higher level of

trust that EV builds suggests that theres an educationjob to be done.

a green browser bar indicating

extended validation ssl

none

68%

2%

the golden padlock/http

which shows the presence

of an ssl certificate

trust seals or

marks of assurance

30%

2%

france had the

highest percentage

of organisations on

their website


13/15

p. 13



The ndings of this survey should come as a wake-

up call to any organisation assuming its website is

highly trusted by users, but doing little or nothing to

earn that trust. Trust is a valuable commodity for all

websites, particularly for order-taking sites, and at

critical moments such as checkout, an extra layer of

reassurance needs to be provided. But IT managers

need to provide clear signs to users that their

websites are trustworthy.

Some IT managers recognise this and are looking

for more than standard SSL certicates to reinforce

trust, so that when users see their browser bar turn

green, they know that transactions are secured and

encrypted, and that the organisation behind the site

has been through an extra level of verication.

The survey shows that IT managers want cost-

effective, easyto-use trust certicates that not only

provide the verication of the site owner, but also

real-time checking of the validity of the certicate to

ensure it hasnt been revoked.

Extended Validation (EV) offers all these benets, and

consumers are clearly responsive to them. According

to a separate 2011 consumer study2, online shoppers

are more likely to enter their credit card and/or other

condential nancial information into a website with

the SSL EV green bar, which most shoppers (60%

in the survey) said increased their feeling of security.

Conversely over half said they would abandon a

purchase if an unfamiliar site did not have the

green bar.

By identifying the certicate authority (CA) that

provided the certicate, EV is also raising the bar for

the whole industry, encouraging websites to obtain

their certicates from a reputable CA, and forcing CAs

that want to issue EV SSL certicates to go through a

WebTrust audit.3

In addition, some security providers such as Thawte

provide trust marks and seals as an added sign of

protection. In Thawtes case, this comes free with the

purchase of any Thawte SSL certicate.

However, there are still low levels of awareness

among IT managers of the need for and benets

of EV. In our survey, a high 87% of websites (and

100% in France) still think customers need no more

than standard SSL certicates to feel comfortable

completing transactions. This clearly contradicts the

consumer ndings. And more than three quarters

(76%) are not aware of the CA/B Forum which

oversees the EV standard.

IT managers and website owners have a

responsibility to help engender trust on the internet

and EV is one of the most powerful ways of providing

this. Ultimately, too, if the trust equation is worked

through, building a better trust standard is good for

business.

EV auThENTiCaTiON: BOOSTiNg TruSTON ThE WEB


14/15

p. 14



rEfErENCES

1. The CA/Browser Forum is comprised of over 30 browser manufacturers, CAs and WebTrust auditors along with the American Bar

Association Information Security Committee (ABA-ISC). To nd out more, visit www.cabforum.org

2. Symantec online consumer study (UK, France, Germany, Benelux, US and Australia) conducted in January 2011

3. To nd out more about EV and its benets, see white paper Extended Validation SSL certicates: A standard for Trust at www.thawte.com


15/15

Te Twte Tsted Ste Sel coes ee

wt Twte SSL cetctes

Contct Detls

If you have further questions, or would like to speak with a Sales Advisor, please feel free to contact us:

El:[email protected]

uK:+44 203 450 5486

gen:+49 69 3807 89081

fnce:+33 1 57 32 42 68

Lve Ct:https://www.thawte.com/chat/chat_retail_new.html

www.twte.co

Secured by

Documents

Thawte EV Whitepaper CH