EV Certificate Effectiveness
This cluster debates the value and effectiveness of Extended Validation (EV) SSL/TLS certificates compared to Domain Validation (DV) ones like Let's Encrypt, questioning their ability to provide real security and user trust amid issues with Certificate Authorities.
Activity Over Time
Top Contributors
Keywords
Sample Comments
Because Let's Encrypt is the CA that hands out certificates without actually verifying identity.
Why do you think it's a false sense of security? Are you familiar with Certificate Transparency? And Let's Encrypt?
Isn't this something that Extended Validation certificates were designed to address?
In theory isn't this what EV certs are for? I know users don't really notice though.
I thought this was the point of EV certs.
Sadly research has proven otherwise:1. Users do not understand the difference between an EV and a DV cert. We spent a decade training users that the padlock is all you need.2. Company registration norms are not standardised across the world, and you can easily get a certificate for Microsoft Corp, see https://news.ycombinator.com/item?id=15904513 for eg.
There's nothing stopping the spammers from getting certs.
EV certs required that. DV certs never provided that sort of security.
This sounds just like EV certificates, and they have not been shown to work very well.(There have been many articles explaining why, here is one: https://www.troyhunt.com/extended-validation-certificates-ar... )
Why do you trust DNS registrars more than you trust CAs?