← Back to context

Comment by yabones

14 hours ago

Call me old-school, but I really liked how EV certs looked in the browser. Same with the big green lock icon Firefox used to have. I know it's all theatrics at best and a scam at worst, but I really feel like it's a bit of a downgrade.

29 comments

yabones

Reply
gerdesj  8 hours ago

"it's all theatrics at best"

Only IT understand any of this SSL/TLS stuff and we screwed up the messaging. The message has always been somewhat muddled and that will never work efficiently.

wnevets  13 hours ago

> Call me old-school, but I really liked how EV certs looked in the browser.

I agree, making EV Certs visually more important makes sense to people who know what it means and what it doesn't. Too bad they never made it an optional setting.

  • RonanSoleste  13 hours ago

    When you request an EV. They call you by the phone number that you give to ask if you requested a certificate. That was the complete extend of the validation. I could be a scammer with a specificity designed domain name and they would just accept it, no questions asked.

    • Uvix  13 hours ago

      Depends on the registrar. Globalsign required the phone number to be one publicly listed for the company in some business registry (I forget exactly which one), so it had to be someone in our main corporate office who'd deal with them on the phone.

      6 replies →

    • wnevets  13 hours ago

      > In addition to all of the authentication steps CAs take for DV and OV certificates, EV certificates require vetting of the business organization’s operational existence, physical address and a telephone call to verify the employment status of the requestor. [1]

      [1] https://www.digicert.com/difference-between-dv-ov-and-ev-ssl...

      Tying a phone number to a physical address and company is a lot more useful than just proof of control over a domain. Of course its not 100% fool proof and depends on the quality of the CA but still very useful.

      4 replies →

    • AlbinoDrought  11 hours ago

      I'd love a referral to your certificate authority and rep - we go through a big kerfluffle each renewal period, only eventually receiving the certificate after a long exchange of government docs and CPA letters. For us, only the last step is the phonecall like you say.

      3 replies →

    • brians  12 hours ago

      Having run an EV issuing practice… they were required to contact you at a D&B listed number or address.

  • arccy  13 hours ago

    i think the point was that EV didn't actually mean anything because the checks were too loose. it's a feel good false sense of security