Comment by btown
15 hours ago
To be fair, for a CEO in 2022, EV certificates had only lost their special visualizations since September/October 2019 with Chrome 77 and Firefox 70 - and with all that would happen in the following months, one could be forgiven for not adapting to new browser best practices!
https://www.troyhunt.com/extended-validation-certificates-ar...
It was a red herring the entire time. At Shopify we made experiment regarding conversion between regular certs and EV before they stop being displayed and there was no significant difference. The users don't notice the absence of the fancier green lock.
I think the rebuttal to the CEO today is really very simple.
a) How many of the sites you visit everyday have DV and how many have EV certificates?
b) Name any site at all, that you have visited, where your behavior or opinion has changed because of the certificate?
In truth the green-bar thing disappeared on mobile long before desktop (and in some cases it was never present.)
In truth if you polled all the company staff, or crumbs just the people round the boardroom table (probably including the person complaining) a rounding error from 0 could show you how to even determine if a cert was DV or EV.
EV could have an inspector literally visit your place of business, and it would still have no value because EVs are invisible to site visitors.
Call me old-school, but I really liked how EV certs looked in the browser. Same with the big green lock icon Firefox used to have. I know it's all theatrics at best and a scam at worst, but I really feel like it's a bit of a downgrade.
"it's all theatrics at best"
Only IT understand any of this SSL/TLS stuff and we screwed up the messaging. The message has always been somewhat muddled and that will never work efficiently.
> Call me old-school, but I really liked how EV certs looked in the browser.
I agree, making EV Certs visually more important makes sense to people who know what it means and what it doesn't. Too bad they never made it an optional setting.
When you request an EV. They call you by the phone number that you give to ask if you requested a certificate. That was the complete extend of the validation. I could be a scammer with a specificity designed domain name and they would just accept it, no questions asked.
24 replies →
i think the point was that EV didn't actually mean anything because the checks were too loose. it's a feel good false sense of security
it’s okay, the scam continues with BIMI
I loved the visualization of EV certs in browsers, but in 2014 vendors like GoDaddy charged $100/yr for them. https://web.archive.org/web/20131023033903/http://www.godadd...
I'm glad LE, browsers, and others like Cloudflare brought this cost to $0. Eliminating this unnecessary cost is good for the internet.
EV validated not only that a domain was under control of the server requesting the cert, but that the domain was under control of the entity claiming it.
I kind of wish they still had it, and I kind of wish browsers indicated that a cert was signed by a global CA (real cert store trusted by the browsers) or an aftermarket CA, so people can see that their stuff is being decrypted by their company.
Problem is, I can easily set up a company and get an EV cert for "FooBar Technologies, LLC" and phish customers looking for "FooBar Incorporated" or "International FooBar Corp.". Approximately zero users know the actual entity name of the real FooBar.
Even if the users knew exactly what the name of the entity whose website they wanted to visit was: that name is not unique, as is shown by the "Stripe, Inc" example in the parents linked blog post.
BIMI, as misguided as it is, does aim to solve this by tying registration to insanely high prices and government-registered trademark verification. You would have a hard time registering the Stripe trademark nowadays in a way that would get you a BIMI certificate for that name/logo.
https://www.thesslstore.com/resources/bimi-certificate-cost-...
But I'm glad that it hasn't caught on as strongly-expected by the public (or even commonly used). Big brands shouldn't be able to buy their way into inbox placement in ways that smaller companies can't replicate.
you can find quite of few examples online that the entity check wasn't all that strict...