
The Insecure Elephant in the Room - smacktoward
https://casecurity.org/2019/10/10/the-insecure-elephant-in-the-room/
======
kayfox
The TL;DR of this article is that you should have to pay for certificates and
pay a lot for extended validation certificates because if everyone has a
certificate the differentiation for trusted websites is diminished.

Its unsurprising that this is from an association of Certificate Authorities.

~~~
dreamcompiler
Fine. The author might have a financial interest in the outcome. But is he
wrong? His data strongly suggests that the easy availability of DV
certificates and the deprecation of EV certificates makes the creation of
phishing sites far too easy.

~~~
Meph504
The idea that paying for something somehow makes it more trust worthy is a bit
of a farce, the whole system of commercial paid for certs was a bad idea, and
is being propped up by those that have a financial interest in keeping it
going.

EV certs cost a crazy amount, and the issuers tout an exhaustive validation
process, but it isn't actually that hard to get a fake one issues. use a
process very similar to one covered here ([https://www.cyberscoop.com/easy-
fake-extended-validation-cer...](https://www.cyberscoop.com/easy-fake-
extended-validation-certificates-research-shows/))

I think having the free SSL option has allowed a lot of sites to move to a
more secure web.

