thawte ev whitepaper ch
Post on 03-Jun-2018
220 Views
Preview:
TRANSCRIPT
-
8/12/2019 Thawte EV Whitepaper CH
1/15
The Truth About Online Trust
Building Trust Standards on the Web
WHITE PAPER 2013
-
8/12/2019 Thawte EV Whitepaper CH
2/15
p. 2
The Truth About Online Trust
Building Trust Standards on the Web
The Trust Equation 3 - 4
Summary of Research 4 - 5
Trust Matters For Some More than Others 6
What are the Signs of Trust? 7 - 8
When is Trust Most Important? 9
Not All SSL is Created Equal 10
UK: Big on Trust and Building Trust 11
Germany: Realistic and Pragmatic on Trust 12
France: No Problems Here 13
EV Authentication: Boosting Trust on the Web 14
References 15
CONTENTS
Protect your data, safeguard your business, and translate trust to your customers with high-assurance digital
security certicates from Thawte, the worlds rst international specialist in online security. Backed by a
17-year track record of stability and reliability, a proven infrastructure, and worldclass customer support,
Thawte is the international partner of choice for businesses worldwide.
-
8/12/2019 Thawte EV Whitepaper CH
3/15
p. 3
The Truth About Online Trust
Building Trust Standards on the Web
Trust is a fundamental currency
on the web. In a virtual world,
where you never know for sure
who is controlling the website
you are viewing or consumingthe information you are sharing,
meaningful interaction is
impossible without high levels of
trust Increasingly, as cybercriminals
have become more sophisticated
in setting up spoof phishing sites
to fool users into handing over
personal details and passwords,sites need more than standard
certicates to engender trust.
Thawte commissioned a survey aimed at establishing
how trustworthy IT managers in three European
countries believe their websites to be. This paper
reports the ndings of the survey and raises some
additional questions around building trust for website
owners and managers.
At one level, building trust is a simple balanced
equation: higher levels of trust on one side = more
trusting users willing to complete interactions and
transactions on the other. A lessening of trust on
one side of the equation such as a leaking of user
details leads to a lessening of what users are
prepared to do or complete on the other.
The survey went on to ask what IT managers
perceptions are of the level of trust they require,
and at what point that trust is most critical. The survey
also wanted to discover what impact trust indicators
such as Extended Validation (EV) SSL certicates
had on this perception.
Finally, this paper asks whether IT managers are
making the most of the opportunity to engender
trust and cultivate loyal customers, to build online
interactions and to boost online business.
The survey questioned 150 IT professionals in all
sizes of business and across all industry sectors
including education, healthcare, government, retail,
business services, travel & leisure and nance.
One third of the respondents were in the UK, a third
in Germany and a third in France, and the majoritywere either decision makers or inuencers.
While there were low adoption levels of EV, and low
awareness of what it was all about, those who have
embraced it believe their websites are rated more
trustworthy than those of their peers. One in ve
participants in the UK, and 13% overall, recognised
the need for websites to have more than standard SSL.
However, the survey also demonstrated the trust
conundrum while more than half of participants
rated their websites as highly trustworthy, nearly two
thirds of this group, employed no trust indicators at all.
ThE TruST EquaTiON
-
8/12/2019 Thawte EV Whitepaper CH
4/15
p. 4
The Truth About Online Trust
Building Trust Standards on the Web
ThE TruST EquaTiON
Summary Of rESEarCh
Wt ndctos do o ve tt cstoes tst o webste?
Soe onstons tnk te cstoes need oe tn stndd SSL -
bt not n fnce
TOTAL UK DE FR
Traffic
volumes
REPEAT
VISITS
WILLINGNESS
TO SHARE PERSONAL DETAILS
WILLINGNESS TO
COMPLETE TRANSACTIONS
NO INDICATORS / NONE
NOT APPLICABLE / NOT SURE
27%
23%8% 5% 49%
26%
30% 12% 8%
38%
25%
18% 8%
6% 65%
30%
20%
4%
0%
46%
NO - 80%
YES - 20%
NO - 82%
YES - 18%
NO - 100%
YES - 0%
UK DE FR
-
8/12/2019 Thawte EV Whitepaper CH
5/15
p. 5
The Truth About Online Trust
Building Trust Standards on the Web
mn beleve ts otnt tt
te vldt o cetctes s
cecked n el te.
Wt ndctos do o ve tt cstoes tst o webste?
Onstons tnk te e
tstwot - bt cnnot nt
w te tnk ts.
Not trustworthy Highly trustworthy
Fr
UKTotal
DE
1 5 37 57
Traffic
volumes
REPEAT
VISITS
WILLINGNESS
TO SHARE
PERSONAL DETAILS
WILLINGNESS TO
COMPLETE
TRANSACTIONS
NO INDICATORS / NONE
NOT APPLICABLE / NOT SURE
27% 23% 8% 5% 49%
how tstwot do cstoesconsde webstes to be?
-
8/12/2019 Thawte EV Whitepaper CH
6/15
p. 6
The Truth About Online Trust
Building Trust Standards on the Web
Traditional SSL has, for many years, provided website
visitors with the assurance that their interaction witha website is secure. The lock icon that appears when
an SSL connection has been created between host
and client machine, and the https URL address,
shows that when information such as user names
and passwords is exchanged, it is encrypted and only
accessible by the website owner.
However, the limitations of traditional SSL
authentication are beginning to be exposed. For a
start, traditional SSL certicates only validate the
website domain name and conrms that it belongs tothe stated owner. This means consumers could
have the assurance of SSL encryption but still be
visiting a compromised site.
Secondly, some certicate authorities will provide SSL
certicates without checking the authenticity of
the organisation behind the website and whether
it is a legitimate business entity worthy of trust.
Cybercriminals could therefore set up a counterfeit
site, and obtain an SSL certicate for it, and dupe
consumers into handing over personal details, whilestill being genuine website owners.
Thirdly, some cybercriminals have SSL certicates
which are self-signed, with both public and privatekeys owned by them. This discrepancy and others
would be highlighted by any modern browser but
many users would not be aware of the problem.
Our survey found that one in ve respondents in the
UK, and 13% overall, believe their customers now
need more than standard SSL to feel comfortable
completing transactions. The trend was particularly
pronounced in the education, retail and travel
sectors, where the integrity of transactions is most
pronounced. Equally, these organisations alsobelieved the trustworthiness of their website was
most important at registration, a key point when
trustworthiness is questioned, as outlined in the
Trusting Times section of this paper.
For organisations that want to demonstrate to their
users that their websites provide more than standard
levels of security, Extended Validation (EV) can
provide a compelling option.
TruST maTTErS fOr SOmE mOrE ThaN OThErS
NO - 87%
YES - 13%
NO - 80%
YES - 20%
UK TOTAL
Do cstoes need oe tn stndd SSL cetctes to eel cootble
coletn tnsctons?
-
8/12/2019 Thawte EV Whitepaper CH
7/15
p. 7
The Truth About Online Trust
Building Trust Standards on the Web
According to our survey, most organisations think their customers
consider their website to be reasonably or highly trustworthy but
signicantly, few can quantify their reasons for thinking this, and nearly
two thirds of this group are doing nothing to help build trust with users.
So are they right to be so condent about their customers experience?
Over half of participants (57%) think customers
consider their website to be highly trustworthy, while
an additional 37% think customers consider their
site trustworthy. That leaves just 6% thinking their
customers consider their site less than trustworthy,
and just 1% (2 people) untrustworthy.
Different industry sectors have different sensitivities.
Education has the lowest levels of trust and is the
most cost-sensitive sector. Healthcare considers
its sites highly trustworthy but also has fewer trust
indicators, such as SSL, trust seals or EV.
Whether consumers share these organisations
assertions around trust is a moot point all the signssuggest that they are looking for further reassurances.
Nearly half (49%) of survey respondents admit
that they have no reason to think customers trust
their website. Just over a quarter (27%) cite trafc
volumes, and 23% repeat visits, while only a handful
bring up willingness to share personal details or
complete transactions as evidence their customers
trust their website.
Unfortunately, organisations not only appear to be
overcondent about their users perceptions of trust they are also doing little to engender these feelings of
trust. While nearly a third (31%) use SSL certicates,
only 8% have trust seals and 5% use Extended
Validation SSL certicates.
A staggering 61% of respondents had no trust
indicators at all, which means they are making no
efforts to build trust with users of their website, and a
standout 64% of those who considered their sites to
be highly trustworthy had no trust indicators.
WhaT arE ThE SigNS Of TruST?
how tstwot do cstoes
consde webstes to be?
Not trustworthy Highly trustworthy
1 5 37 57
Wt ndctos do o ve ttcstoes tst o webste?
Traffic
volumes
REPEAT
VISITS
WILLINGNESS
TO SHARE
PERSONAL DETAILS
WILLINGNESS TO
COMPLETE
TRANSACTIONS
NO INDICATORS / NONE
NOT APPLICABLE / NOT SURE
27% 23% 8% 5% 49%
-
8/12/2019 Thawte EV Whitepaper CH
8/15
p. 8
The Truth About Online Trust
Building Trust Standards on the Web
Organisations may appear blas
about the trustworthiness of
their websites, but from a user
perspective there are certain types
of websites that inspire high levels
of trust and key moments in the
interaction lifecycle when that trust
is challenged.
A user browsing the web for information, for example,
is likely to navigate to a site that has a high level of
trust attached to it, rather than a site that they have
little previous experience of, or low credibility attached
to the brand. Similarly, users looking to complete
transactions on sites will look for signs of trust, and
will question the authenticity of sites at key moments.
More than half (54%) of participants believe
trustworthiness of their site is important at all times,
but nearly a third (32%) singled out registration as a
key moment for trust, and more than one in ten (11%)
pointed to checkout.
Trust is important for all websites, but some IT
managers just require basic encryption to protect user
names and passwords while others handling sensitive
personal information need stronger encryption and
in-depth site owner verication.
Not surprisingly, retail and nance industries consider
trustworthiness most important at registration and
checkout. Websites that are able to offer varying trust
indicators are best suited to the expectations of users.
At these points, its critical website owners do their
utmost to engender trust so users carry through
their registrationsor transactions, rather than
getting cold feet and leaving the process mid-
way through. Incomplete processes are the worst
from an organisations perspective because it has
invested the time and effort to push the user down a
particular channel and that user is either lost, or the
organisation has to commence the transaction again
through another channel.
WhEN iS TruST mOST impOrTaNT?
At the registration
process
At checkoutWhen advertising pops up
At all times/
All of the above
32%
11%
54%
3%
When is the trust
worthiness of a website
most important?
-
8/12/2019 Thawte EV Whitepaper CH
9/15
p. 9
The Truth About Online Trust
Building Trust Standards on the Web
As the foundation of trust on the web, its critical that SSL certicates and
their issuing certicate authorities (CAs) are beyond reproach.
However, not all certicates are created equal, nor
do all CAs exercise the same rigour when issuing
certicates. As websites needs have become clearer,
a new class of authentication - Extended Validation
(EV) has been put forward to provide an extra layer
of protection.
When asked what is or would be most important
when sourcing SSL certicates, aside from the
obvious concern around cost (27%), the critical
thing organisations are looking for is ease of
use (22%), clearly ahead of brand (15%), visitors
perception (13%), and the provision of
value-added services (8%).
Separately, participants were asked how important it
was that the validity of SSL certicates was checked
in real-time and more than three quarters (76%) of
organisations surveyed thought it was important or
very important.
Cost-effective Extended Validation (EV) meets both
the requirement for improved trust standards, ease
of use and realtime checking. A set of guidelines
developed by the Certicate Authority/Browser Forum
(CA/B Forum)1, EV effectively raises the bar for the
standard of certicate being provided.
CAs go through a rigorous audit to ensure they
follow guidelines on business verication practices
including a 13-step analysis on the business behind
the website.
Tese stes nclde:
Verifying the existence of the organisation and that
its identity matches ofcial records
Verifying the organisation has exclusive rights to
use the domain
Conrming the contact in the EV SSL request
Verifying the order
When visiting a site with EV SSL, the address bar
turns green and the certicate authority that provided
the certicate is highlighted. This simplies the
identication of an EV certicates presence and
conrms that it was provided by a credible source.
EV also allows real-time certicate validity checking;
if the certicate is no longer valid, the bar will not
turn green.
NOT aLL SSL iS CrEaTED EquaL
COST EASE OF USE BRAND VISITOR / CUSTOMER
PERCEPTION
VALUE-ADDED
SERVICES
27%22%
15% 13%8%
Wt s ost
otnt wen
socn SSL
cetctes?
-
8/12/2019 Thawte EV Whitepaper CH
10/15
p. 10
The Truth About Online Trust
Building Trust Standards on the Web
The UK appears to be a relatively sophisticated market both in the trust
measures that already exist and in its efforts to boost trust standards on
websites. But in order to meet best practice, organisations need to be
prepared to invest more.
The UK has the highest average rating for how
trustworthy organisations believe their customers
consider their websites to be (3.52 out of 4). Over
three quarters of respondents (78%) rated them
highly trustworthy compared to an average across
all markets of 57%. A further 14% considered them
fairly trustworthy.
Is the UK justied in this assessment? Compared
to other markets, its adoption of trust indicators
is no better than average. When asked what trustindicators they have on their websites, more than
half of participants (56%) have nothing, compared to
an average across all markets of 61%. However, the
presence of SSL certicates was slightly down on the
average with just 30% adoption, only one inten had
trust seals, and 6% EV authentication.
Balanced against this, the UK felt the highest need
for EV, with one in ve (20%) acknowledging that
customers need more than standard SSL certicates
to feel comfortable completing transactions with theirsite. This compares to an average rating of 13% (and
no participants agreeing in France).
The UK also has the most organisations aware of the
CA/B Forum, with an approximate 40-60 split between
those who are familiar with the Forum behind the EV
guidelines for SSL certicates and those who arent.
This market is clearly highly sensitive to trust issues
and mature in its appreciation of what is required to
build trust. The fact that it was also the market that
ranked cost as its standout concern (for 40%) when
sourcing SSL certicates might explain why this
appreciation has not led to greater adoption. Clearly
the UK needs to step up to the challenge and put its
money where its mouth is.
uK: Big ON TruST aND BuiLDiNg TruST
Te uK d te est veetn o ow tstwot
onstons consdeed te
webstes to be.
Not trustworthy Highly trustworthy
2 6 14 78
-
8/12/2019 Thawte EV Whitepaper CH
11/15
p. 11
The Truth About Online Trust
Building Trust Standards on the Web
gen d te est ecente ctn no eson to tnk te
webstes wee tsted
Organisations in the German market, in stark contrast to the UK and
France, have a realistic appreciation of the trust that their customers put
in their websites, together with a pragmatic approach to what they need
to do to improve that trust.
Germany has the lowest average rating for how
trustworthy organisations thought their customers
considered their websites to be, at 3.41 out of 4. Less
than half (45%) of respondents rated themselves
highly trustworthy, with the majority (51%) plumping
for fairly trustworthy.
Germany also has the most participants citing
no reason to consider their sites trusted, with astaggering 65% able to give no reason why they
thought customers might trust their website. Given
their low self-assessment, German organisations
could clearly do more to evaluate perceptions of trust.
Nonetheless, Germany shows an average adoption
of trust measures with nearly a third adopting SSL
certicates (32%), 12% trust seals and marks, and a
number of companies (8%) with Extended Validation
(EV) authentication.
What stands out in the German market, compared to
the other two countries, is its enlightened attitude to
the value provided by SSL certicates. More than a
third (34%) cited ease of use as the most important
thing when sourcing SSL certicates, followed by
visitor perception (18%) and then brand (14%). This is
almost the opposite of the other markets, where cost
was always ranked top and visitor perception rarely
featured.
A relatively high percentage (18%) agreed thatcustomers need more than standard SSL certicates
to feel comfortable completing transactions with their
site, and more than a third (34%) were familiar with
the CA/B Forum and how it relates to SSL certicates.
Of these, more than three quarters agreed that it was
very important that a standard for SSL certicates be
agreed between CAs and browser manufacturers.
German organisations are clearly aware of the issues
surrounding trust on their websites and they know
they need to improve. Standards such as EV mayhold the key to take the market to the next level.
gErmaNy: rEaLiSTiC aND pragmaTiCON TruST
Traffic
volumes
REPEAT
VISITS
WILLINGNESS
TO SHARE
PERSONAL DETAILS
WILLINGNESS TO
COMPLETE
TRANSACTIONS
NO INDICATORS / NONE
NOT APPLICABLE / NOT SURE
25% 18% 8% 6% 65%
-
8/12/2019 Thawte EV Whitepaper CH
12/15
p. 12
The Truth About Online Trust
Building Trust Standards on the Web
fraNCE: NO prOBLEmS hErE
Organisations in France appear in denial about both their current
evaluation of trust, and the measures they need to put in place to
improve trust standards with customers looking to complete interactions
with their websites.
Only half of organisations (50%) considered that their
customers thought their sites to be highly trustworthy
in France, and this was no surprise as the market
has the lowest adoption of added generators of trust
such as trust seals (2% - 1 respondent) and Extended
Validation (EV) SSL certicates (2% - 1 respondent).
More than two thirds (68%) have no trust indicatorson their websites, while 30% have SSL certicates.
In line with other markets, nearly half of the
organisations surveyed (46%) have no indicators
that their customers trusted their websites. However,
French respondents jump out in that 68% considered
the trustworthiness of their websites most important at
all times.
The French market is not particularly price sensitive -
30% considered price most important when sourcingSSL certicates compared with 40% in the UK and
27% overall. But brand was more important than other
markets, with 26% rating it most important.
The standout gure for France was that no
organisations surveyed considered that their
customers needed more than standard SSL to
feel comfortable completing transactions with theirwebsite. This compared with 13% overall and 20%
(10 respondents) in the UK. This is clearly down to
awareness, as only 8% (4 respondents) were familiar
with the CA/B Forum the organisation that agreed
the guidelines for awarding EV SSL certicates.
Organisations in France clearly need to step up to the
mark or risk falling behind other countries in building
trust standards on their websites. The fact that so few
were familiar with the benets of the higher level of
trust that EV builds suggests that theres an educationjob to be done.
a green browser bar indicating
extended validation ssl
none
68%
2%
the golden padlock/http
which shows the presence
of an ssl certificate
trust seals or
marks of assurance
30%
2%
france had the
highest percentage
of organisations on
their website
-
8/12/2019 Thawte EV Whitepaper CH
13/15
p. 13
The Truth About Online Trust
Building Trust Standards on the Web
The ndings of this survey should come as a wake-
up call to any organisation assuming its website is
highly trusted by users, but doing little or nothing to
earn that trust. Trust is a valuable commodity for all
websites, particularly for order-taking sites, and at
critical moments such as checkout, an extra layer of
reassurance needs to be provided. But IT managers
need to provide clear signs to users that their
websites are trustworthy.
Some IT managers recognise this and are looking
for more than standard SSL certicates to reinforce
trust, so that when users see their browser bar turn
green, they know that transactions are secured and
encrypted, and that the organisation behind the site
has been through an extra level of verication.
The survey shows that IT managers want cost-
effective, easyto-use trust certicates that not only
provide the verication of the site owner, but also
real-time checking of the validity of the certicate to
ensure it hasnt been revoked.
Extended Validation (EV) offers all these benets, and
consumers are clearly responsive to them. According
to a separate 2011 consumer study2, online shoppers
are more likely to enter their credit card and/or other
condential nancial information into a website with
the SSL EV green bar, which most shoppers (60%
in the survey) said increased their feeling of security.
Conversely over half said they would abandon a
purchase if an unfamiliar site did not have the
green bar.
By identifying the certicate authority (CA) that
provided the certicate, EV is also raising the bar for
the whole industry, encouraging websites to obtain
their certicates from a reputable CA, and forcing CAs
that want to issue EV SSL certicates to go through a
WebTrust audit.3
In addition, some security providers such as Thawte
provide trust marks and seals as an added sign of
protection. In Thawtes case, this comes free with the
purchase of any Thawte SSL certicate.
However, there are still low levels of awareness
among IT managers of the need for and benets
of EV. In our survey, a high 87% of websites (and
100% in France) still think customers need no more
than standard SSL certicates to feel comfortable
completing transactions. This clearly contradicts the
consumer ndings. And more than three quarters
(76%) are not aware of the CA/B Forum which
oversees the EV standard.
IT managers and website owners have a
responsibility to help engender trust on the internet
and EV is one of the most powerful ways of providing
this. Ultimately, too, if the trust equation is worked
through, building a better trust standard is good for
business.
EV auThENTiCaTiON: BOOSTiNg TruSTON ThE WEB
-
8/12/2019 Thawte EV Whitepaper CH
14/15
p. 14
The Truth About Online Trust
Building Trust Standards on the Web
rEfErENCES
1. The CA/Browser Forum is comprised of over 30 browser manufacturers, CAs and WebTrust auditors along with the American Bar
Association Information Security Committee (ABA-ISC). To nd out more, visit www.cabforum.org
2. Symantec online consumer study (UK, France, Germany, Benelux, US and Australia) conducted in January 2011
3. To nd out more about EV and its benets, see white paper Extended Validation SSL certicates: A standard for Trust at www.thawte.com
-
8/12/2019 Thawte EV Whitepaper CH
15/15
Te Twte Tsted Ste Sel coes ee
wt Twte SSL cetctes
Contct Detls
If you have further questions, or would like to speak with a Sales Advisor, please feel free to contact us:
El:sales@thawte.com
uK:+44 203 450 5486
gen:+49 69 3807 89081
fnce:+33 1 57 32 42 68
Lve Ct:https://www.thawte.com/chat/chat_retail_new.html
www.twte.co
Secured by
top related