Wednesday, September 3, 2025
HomeGuest BlogsSSL Is Broken by Design. Why Trust Should Go Beyond the Padlock...

SSL Is Broken by Design. Why Trust Should Go Beyond the Padlock by Kelvin Kiogora


Kelvin Kiogora

Published on: June 4, 2025
Writer

That padlock icon you see in your browser’s address bar?

Untitled document

It means that the website you’re visiting is “secure,” thanks to a protocol known as SSL (Secure Sockets Layer) that encrypts your connection, helping to protect your data and ensure your interaction with the site remains private.

But what does “secure” really mean?

Well, the padlock is a good start, but it doesn’t tell the whole story.

Most websites today use Domain Validation (DV) certificates, which confirm domain ownership and provide essential encryption. That’s useful—but DV certs don’t verify who’s actually behind the website. This makes them easy to obtain, and in some cases, vulnerable to misuse.

That’s where Organization Validation (OV) certificates come into play. OV certificates provide one more crucial layer of trust by verifying not just the domain, but also the legitimacy of the organization behind it.
That way you know that you’re dealing with a real, verified entity, and not a faceless URL. And there’s even more that we are getting wrong about SSL certs…

To understand these important nuances of digital trust, I spoke with Francesco Basso, Head of SSL at Actalis S.p.A., one of Europe’s leading Certification Authorities.

He explained how today’s SSL ecosystem, while powerful, can be vulnerable when trust signals are oversimplified, and why OV certificates are essential for a safer web.
And because I’m a Safety Detective after all, I also looked into what we users can do now to avoid being fooled by a green padlock before it’s too late.

The Risks of Minimal Validation

DV certificates have become the default choice for many websites, largely due to the proliferation of free certificate providers like Let’s Encrypt.

According to recent data, DV SSL certificates dominate the Web with a 94.4% share, while Organization Validation certs (OV) have a tiny 5.5%, and Extended Validation (EV) are left with a mere 0.1%.

Unfortunately, the convenience of DV certificates comes at a cost, since they only verify domain ownership, not the identity of the website owner. It’s like you’re trusting anyone with a key just because they say they live there. Without proper identity verification, users are left vulnerable to sophisticated cyber threats.

Data speaks:

  • A landmark study in 2018 analyzed 6,020 phishing sites with valid SSL certificates, and found that 99.82% used DV certificates.
  • When adjusted for market share, DV-certified sites are 15 times more likely to host phishing content than EV-certified sites and 41 times more likely than OV-certified sites.

This lack of proper identity verification makes it all too easy for a malicious actor to create a seemingly legitimate website where he can run any kind of cyber attack like phishing.

The economic model driving DV adoption is equally telling: the global certificate authority market is projected to reach $282 million by 2028, but this growth primarily benefits only six certificate authorities that control 90% of the market, with Let’s Encrypt commanding a 63.7% share.

And you know what happens when a few companies have a monopoly on a market: they lose interest in giving you, the user, the best service possible, since you will have to rely on them anyway.

* To be clear, DV certificates are not inherently dangerous—they serve a specific purpose. But for sites where trust and identity matter, they may not be enough.

The Case for OV and EV Certificates

Let’s understand one key concept:

Digital trust isn’t just about encryption. It’s about knowing who you’re dealing with, where your data lives, and how it’s being secured across its lifecycle. With that in mind, it’s easy to see why OV and EV certificates offer higher levels of assurance than DVs: they require more rigorous identity checks.

🔒 SSL Certificate Validation Types: What’s the Difference?

Type What It Confirms Who It’s For How Secure? Time to Get It Trust Level

for Users

DV (Domain Validation) Only proves someone owns the domain name Personal blogs, small websites, test pages 🔓 Basic – no identity check ⏱️ Minutes ⚠️ Low – easy for scammers to get
OV (Organization Validation) Verifies the organization’s name, location, and legitimacy Businesses, schools, non-profits 🔐 Medium – real-world ID is checked ⏳ 1–3 days Medium – more trust, visible in certificate
EV (Extended Validation) Verifies full legal identity, location, and right to use the domain Banks, e-commerce, government websites 🛡️ High – most thorough background check ⏳ 3–5 days 🔒 High – shows full company name in browser bar (in some browsers)

In Europe, there is also a type of EV certificate known as a QWAC (Qualified Website Authentication Certificate) that is gaining importance. These meet the same rigorous checks as EV—but also comply with the EU’s eIDAS regulation, adding another legal trust layer.

However, their massive underutilization suggests a gap in awareness and understanding among website owners about the importance of robust SSL validation. In fact, even in 2025, government portals and major enterprise websites are still running on DV-only certificates where stronger verification is warranted.

This directly affects the security of any website visitor, including me and you.

That’s where eIDAS comes in…

How Europe Is Trying to Fix This

eIDAS is a European law that’s quietly transforming how we verify identity online. It’s kind of like a digital passport system for websites, signatures, and identities across the EU.

Before eIDAS, every country had its own rules. If you signed a contract online in Italy, it might not count in Germany. Now, thanks to eIDAS, it’s all unified.

More secure.

More legally valid.

Better for cross-border trust.

For regular folks like you and me, this means when you interact with a public service, sign a lease, or buy something from a European business online, you can actually trust what you’re seeing.

What you can start doing now to stay safe

1. Don’t Trust the Padlock Alone

That little lock icon? It just means your connection is encrypted, not that the site is legitimate. Check the full website name. Scammers often use subtle misspellings.

Look for OV, EV, or QWAC certificates on sites where you enter sensitive info

These higher-assurance certificates actually verify the identity behind a website. Some browsers show the company name right next to the URL, like “Bank of Italy [IT]” instead of just a lock.

3. Pay Attention When Signing Anything Online

If you’re signing a contract, applying for a job, or sharing sensitive information, make sure the site uses strong digital verification. If it’s a government site or a bank, it should be more than just a DV certificate.

4. Ask: Where Does My Data Go?

Big tech platforms might secure your data, but they also store it overseas, share it with partners, or use it for profiling. European providers like Actalis are building entire trust systems, keeping everything local, certified, and controlled under strict laws.

They control their infrastructure, offer human support (in your language), and follow EU rules to the letter. They don’t cut corners, and build everything in Europe, for Europe, with full transparency.

This isn’t just about tech. It’s about who you trust with your money, your identity, even your votes.

The internet has made it easy to connect, but also easy to fake. If you want a web that actually earns your trust, start demanding more than just a padlock

Want to know if your website is using the right certificate?

Reach out to Actalis

https://www.linkedin.com/company/actalis-s.p.a./

Data sources:

https://sslinsights.com/ssl-certificates-statistics/

https://www.techbusinessnews.com.au/blog/the-role-of-ssl-certificates-secure-your-website-against-cyber-attacks/

https://pkic.org/uploads/2018/06/Summary-Report-Incidence-of-Phishing-04-16-2018.pdf

RELATED ARTICLES

Most Popular

Dominic
32260 POSTS0 COMMENTS
Milvus
81 POSTS0 COMMENTS
Nango Kala
6625 POSTS0 COMMENTS
Nicole Veronica
11795 POSTS0 COMMENTS
Nokonwaba Nkukhwana
11854 POSTS0 COMMENTS
Shaida Kate Naidoo
6746 POSTS0 COMMENTS
Ted Musemwa
7023 POSTS0 COMMENTS
Thapelo Manthata
6694 POSTS0 COMMENTS
Umr Jansen
6714 POSTS0 COMMENTS