
The CA's Role in Fighting Phishing and Malware - glass-
https://letsencrypt.org/2015/10/29/phishing-and-malware.html
======
junto
This has always puzzled me about SSL certs. Most site owners want to ensure
that communication to and from the server is encrypted and secure from all
prying eyes, period.

Other site owners also want to add to this the concept of trust, to prove who
they are has been legitimately verified by a trusted third party.

That the two mechanisms are forced together is not ideal. The lock symbol
symbol should symbolise the encryption. Another icon should be used to denote
trust.

Snowdon has uniquely proven that all data must be encrypted both in communiqué
and ideally also at rest.

Is encrypted communications and verified trust mutually exclusive or not.
Discuss!

~~~
technion
A classic example is this[0] debacle, wherein a legitimate user struggles with
all forms of difficulties because a CA took it upon themselves to police the
certificates they issue.

Similarly, I bought a certificate from that same company and because it was
for a well known brand I was made to jump through all sorts of verification
hoops, despite being a DV certificate.

I won't link it here but I came across a stresser service quite literally
selling DDoS tools, advertising that they accept bitcoins for anonymous
attacks - who happen to have an EV certificate and give users a big green bar.

Does that make it a legitimate business? SSL vendors what you to think so.

[0] [https://forums.comodo.com/ssl-certificate/comodo-rejects-
pos...](https://forums.comodo.com/ssl-certificate/comodo-rejects-positivessl-
order-because-it-has-the-word-malware-in-the-name-t106480.0.html)

------
Mz
[https://news.ycombinator.com/item?id=10473966](https://news.ycombinator.com/item?id=10473966)

My link is newer, just 2 hours old, but these look like the exact same article
to me.

