Comment by wnevets

15 hours ago

> Call me old-school, but I really liked how EV certs looked in the browser.

I agree, making EV Certs visually more important makes sense to people who know what it means and what it doesn't. Too bad they never made it an optional setting.

26 comments

wnevets

RonanSoleste 15 hours ago

When you request an EV. They call you by the phone number that you give to ask if you requested a certificate. That was the complete extend of the validation. I could be a scammer with a specificity designed domain name and they would just accept it, no questions asked.

Uvix 15 hours ago
Depends on the registrar. Globalsign required the phone number to be one publicly listed for the company in some business registry (I forget exactly which one), so it had to be someone in our main corporate office who'd deal with them on the phone.
- bangaladore 15 hours ago
  
  For an online business in a dubious (but legal) domain, my co-owner spent a few hundred bucks registering a business in New Mexico with a registered agent to get an EV cert.
  So, a barrier to entry, but not much of one.
  
  3 replies →
- progmetaldev 11 hours ago
  
  Dun and Bradstreet (?). I believe I'm remembering this correctly. I still deal with a few financial institutions that insist on using an EV SSL certificate on their websites. I may be wrong, but I believe that having an EV SSL gives a larger insurance dollar amount should the security be compromised from the EV certificate (although I imagine it would be nearly impossible to prove).
  When I last reissued an EV SSL (recently), I had to create a CNAME record to prove domain ownership, as well as provide the financial institution's CEO's information which they matched up with Dun & Bradstreet and called to confirm. The entire process took about three days to complete.
  
  1 reply →
wnevets 15 hours ago
> In addition to all of the authentication steps CAs take for DV and OV certificates, EV certificates require vetting of the business organization’s operational existence, physical address and a telephone call to verify the employment status of the requestor. [1]
[1] https://www.digicert.com/difference-between-dv-ov-and-ev-ssl...
Tying a phone number to a physical address and company is a lot more useful than just proof of control over a domain. Of course its not 100% fool proof and depends on the quality of the CA but still very useful.
- matrss 15 hours ago
  
  > Tying a phone number to a physical address and company is a lot more useful than just proof of control over a domain.
  It might be useful in some cases, but it is never any more secure than domain validation. Which is why browsers don't treat it in a special way anymore, but if you want you can still get EV certificates.
- monerozcash 14 hours ago
  
  It was easy to provide the information for an existing business you're completely unrelated to. Reliably verifying that a person actually represents a company isn't possible in most of the world.
  
  2 replies →
AlbinoDrought 13 hours ago
I'd love a referral to your certificate authority and rep - we go through a big kerfluffle each renewal period, only eventually receiving the certificate after a long exchange of government docs and CPA letters. For us, only the last step is the phonecall like you say.
- wnevets 13 hours ago
  
  The replies to my original comment make it obvious who has gotten an EV cert from a quality CA before and who hasn't.
  
  2 replies →
brians 14 hours ago

Having run an EV issuing practice… they were required to contact you at a D&B listed number or address.
realityking 15 hours ago
EV certs also showed the legal name of the company that requested the certificate - that was an advantage.
- duskwuff 14 hours ago
  
  Which would have made sense if company names were unique - which they aren't. See e.g. https://groups.google.com/g/mozilla.dev.security.policy/c/Nj... for an example of how this was abused.
  
  3 replies →
- crote 12 hours ago
  
  The problem is that people wrongly believe that company names are unique. In reality you're just some paperwork and a token registration fee away from a name clash.
  If anything, it's a disadvantage. People are going to be less cautious about things like the website's domain name if they see a familiar-sounding company name in that green bar. "stripe-payment.com" instead of "stripe.com"? Well, the EV says "Stripe, Inc.", so surely you're on the right website and it is totally safe to enter your credentials...
  
  1 reply →

arccy 15 hours ago

i think the point was that EV didn't actually mean anything because the checks were too loose. it's a feel good false sense of security