> First, they probably want to actually do something instead of being hopeless, so they consider doing something better than nothing even if it's not ideal.
Right, once OV and EV certificates are effectively removed from browsers, users such as myself will no longer have any tool to help ensure we are interacting with the entity intend to be interacting with. It is kind of like getting a cold call from your credit card company saying their has been suspicious activity and they want me to authenticate my account with personal details. I always call the phone number on the back of my physical credit card to ensure someone isn't scamming me.
Rather than removing EV certificates as a concept, I would love to see some experiments run by browser vendors to see how users can more readily understand who they are interacting with. But instead, the solution seems to be to get rid of the only option since it doesn't work in its current incarnation.
> Part of the argument against them is not just that they're ineffective, but also expensive. It's not unreasonable to simply call it snake oil.
I have a hard time understanding this argument. You can purchase an EV cert for $80 a year from NameCheap. The extra cost is because they have people verify that the company details you have provided are valid and that you are an authorized representative of the company. Any company that is more than a solo founder is going to be in dire straights if $80 a year is too much. I mean, are you even going to find a domain name and hosting for less than $80 a year?
In reality though, I don't think much of anyone other than major email providers and financial institutions really need to worry about EV. If a website doesn't have EV, but uses PayPal, I have no qualms. But if I go to long into Fidelity or PayPal and they couldn't be bothered to spent $100 per year to help me ensure I am actually interacting with them, that says a lot to me. I mean, even my small town NH bank has an EV cert. It just makes sense if you are dealing with finances.
OV was never really accessible in browsers. Even the vendors pushing these seemed to avoid showing how to identify one (when they would screencap the EV green bar), and probably for good reasons.
> You can purchase an EV cert for $80 a year from NameCheap
I've been through this a quite few times. The cost of the cert isn't the true cost. If I could pay $80 to Lets Encrypt to have every issued cert be EV, I'd do it just to avoid this bikeshed. Every single time I've done it, the validation process has been extremely painful. I feel like it's made up on the spot by whatever offshore person gets asked to do the validation. Documents accepted last year are suddenly not accepted at renewal time. Being denied because my Australian company doesn't show up on a UK business register for example.
Right, once OV and EV certificates are effectively removed from browsers, users such as myself will no longer have any tool to help ensure we are interacting with the entity intend to be interacting with. It is kind of like getting a cold call from your credit card company saying their has been suspicious activity and they want me to authenticate my account with personal details. I always call the phone number on the back of my physical credit card to ensure someone isn't scamming me.
Rather than removing EV certificates as a concept, I would love to see some experiments run by browser vendors to see how users can more readily understand who they are interacting with. But instead, the solution seems to be to get rid of the only option since it doesn't work in its current incarnation.
> Part of the argument against them is not just that they're ineffective, but also expensive. It's not unreasonable to simply call it snake oil.
I have a hard time understanding this argument. You can purchase an EV cert for $80 a year from NameCheap. The extra cost is because they have people verify that the company details you have provided are valid and that you are an authorized representative of the company. Any company that is more than a solo founder is going to be in dire straights if $80 a year is too much. I mean, are you even going to find a domain name and hosting for less than $80 a year?
In reality though, I don't think much of anyone other than major email providers and financial institutions really need to worry about EV. If a website doesn't have EV, but uses PayPal, I have no qualms. But if I go to long into Fidelity or PayPal and they couldn't be bothered to spent $100 per year to help me ensure I am actually interacting with them, that says a lot to me. I mean, even my small town NH bank has an EV cert. It just makes sense if you are dealing with finances.