1. Can an arbitrary third party eavesdrop on my communications?
2. Am I communicating with who I think I'm communicating with?
It is now extremely easy to handle use case (1). Use case (2) is still genuinely hard, because even extremely technically literate security-savvy people can still easily be phished (my current go-to example is this talk: https://www.youtube.com/watch?v=ZjW12K0IHgo).
Compounding the problem, many people insisted, for many years, that use case (2) was the overwhelming majority of all the value of SSL/TLS, and use case (1) was at best a tiny microscopic fraction of a fraction of a fraction of what was useful about SSL/TLS.
Lest you think I'm exaggerating: I've spent years arguing with people, including right here on HN, about this, and being condescendingly told that identity verification is the crown jewel, and that if I'm not going to make use of that then I might as well literally just go back to plain unencrypted HTTPS, because apparently that's actually better than using SSL/TLS without identity verification.
Also, I really recommend watching that video I linked. It's a security engineer at Stripe, talking about how she ran some pretty successful campaigns within the company. Whatever you may think of them, they're not unlettered philistines. But even things like your "Expect-EV" wouldn't have helped -- she cites an example of people noticing their password manager wasn't autofilling, because it knew they weren't on the expected domain, and then users manually copy/pasting the credentials out of their password manager anyway. There just aren't any easy "just do X" technical solutions here.
One big reason people do that is because probably 99+% of the time their password manager fails to fill the fields is not because it is the wrong site.
It is almost always because the site has done something with its fields that is either preventing the password manager from finding the fields, or is blocking it from filling them (often intentionally).
The issue is that credential stores which know how to recognize the "real" version of a site aren't going to achieve the level of effectiveness we'd like to have against phishing.
Encryption without identity verification is objectively worse than no encryption at all. The reasons are straightforward:
• Encryption isn't free. Whilst performance has improved, there's no heartbleed without OpenSSL. It adds complexity, it adds a TON of extra work and operational problems like key expiry policies, and in general increases your attack surface.
• We generally feel the complexity is worth it to block MITM attacks. But if you are just handshaking with whatever is answering your packets, you aren't blocking MITM attacks.
The assumption underlying your position is (being generous) that the world is full of passive MITMs who can't also take part in the conversation, so any Diffie-Hellman key exchange will knock them out. But Snowden proved conclusively that this isn't true. Local attackers can do ARP spoofing, packet injection and other tricks and remote attackers are the NSA who also can perform large scale packet injection and active MITM attacks. Where are the passive-only attackers?
If you aren't stopping active MITM, then there don't seem to be any adversaries you are actually stopping, and at that point the additional (potentially hackable) code required and additional work required is just nothing-for-something.
When I was in college I used to teach friends the importance of encryption by just showing them a live dump of packets on the dorm's LAN. You could see everything: here are the IMs coming to you and getting your away message as a reply, there's your computer refreshing the news site you were looking at a minute ago... it opened their eyes in a big way.
Encryption -- even without checking seventeen forms of government-issued ID from the person on the other end -- does in fact stop that passive surveillance, and like it or not that's a gigantic use case.
The realistic threat model for most people in terms of active MITM is something like their ISP trying to inject ads and tracking into what they browse, or their home router getting compromised. It takes very very little in terms of identity verification to shut that down; DV certs, which you can get by the truckload, for free, from Let's Encrypt -- will handle it just fine. Which means you don't need EV for that.
As to Snowden, I'm reminded of James Mickens' famous breakdown of threat models. All the Ultra-Verified Premium Secure XP+ Guaranteed™ certificates in the world ain't gonna help if a major government decides to come for you.
EV is snake oil. It literally does not solve any realistic problem the average person has when using the internet; all it does is line the pockets of the cert vendors. DV is the absolute most you need to shut down the things you can shut down, and encryption in general -- even without verification! -- is just fine, thanks. I know I might have a secure channel to Satan. I care about the "secure" part, not the "Satan" part.
Also, as I often do when faced with a true believer, I'll ask you: how many times have you initiated an SSH session with some host for the first time and just accepted past the initial warning? If encryption without rigorous verification is "objectively worse than no encryption at all", why didn't you just telnet instead?
Expect-EV would prevent attacks like where a domain is hijacked via DNS or BGP. U2F wouldn't help with these attacks. I know that phishing is a much bigger problem than domain hijacks, but domain hijacks do happen, so it would be nice to have protection.