I was attempting to work my way through the US Government’s Health Insurance Marketplace tonight[1], and in addition to the horrible load times, javascript timeouts, and strange behavior, I also noticed that the website does not use an Extended Validation (EV) Certificate. Granted, for many businesses, paying the extra couple of hundred dollars for an EV Certificate for their secure socket layer-protected websites is an unnecessary expense. However, for a website that may be used by a sizable percentage of the adult US population, this seems like a large mistake.

It seems to me, that a website that is used by a large number of individuals that aren’t tech-savvy is the perfect application for an EV Certificate. These certificates have a stricter application process, and are therefore much more difficult to forge or impersonate using the standard phishing techniques – at least for now. In addition, all web browsers from about 3 years back provide a clear visual indicator for sites using EV Certificates. For example:


A SSL-protected page using a standard certificate as it appears in Firefox[2]:

No EV


A SSL-protected page using an EV Certificate as it appears in Firefox:

EV


The EV Certificate is much clearer to the end user that they are on the correct website. From a technical perspective, the issuers of EV Certificates are compiled into the browser code itself, preventing malware from modifying the certificate store.

Given all the advantages, one has to wonder why healthcare.gov decided not to use one. Verisign, the most well-known (and most expensive) provider sells EV Certificates for about $2000. Expensive, but a drop in the bucket compared to the hundreds of millions of dollars spent on this website so far. I would imagine that the US Government might be able to strike up some kind of deal with Verisign, in any case.

Some might argue that the EV Certificate is unnecessary, and that may be true. However, let’s look at the ‘competition’ – some of the private insurance company websites.

Aetna:

EV


Coventry:

EV


Geisinger:

EV


And…Healthcare.gov:

EV


Now, to be fair, many of the other sites did not use EV Certificates either, but I doubt they see anywhere near the level of users the Government’s site will. Most customers of those healthcare plans are fully managed through their employer, and it is probably only a small number of users that log in through the web portal.

Given the amount of personal data the healthcare.gov website collects, I believe that they should acquire an EV Certificate to protect users. Any effort made to reduce the likelihood of phishing attacks seems like a worthwhile investment for a site that may be used by millions of citizens.


[1] This is a discussion of a technical oversight, not a political statement

[2] Facebook does not use an EV Certificate because they use a wildcard certificate Healthcare.gov does not use a wildcard certificate