Since this post is clearly a push for EV certs, I’ve had to spend some time actually finding an example site that bothers to use these. They clearly are not very prevalent (none of the websites I frequent use them), and therefore users are clearly not looking for them.
Let’s say I want to install Lastpass to manage my passwords. So I go and visit lastpass.com. The big green bar tells me that I am now dealing with “LogMeIn (Inc)”.
What, in a practical sense, does that tell me? Should I suddenly trust them with my passwords because I have an associated company name? More than a few companies have shown over the years to be completely untrustworthy and I have no reason to see them as any different based on the fact a CA chooses to tell a browser to color them in green. In fact, if not for the fact that I was already aware Lastpass was recently acquired by LogMeIn, I would likely consider the fact it doesn’t say “Lastpass (Inc)” a red flag.
Alternatively, I could try to use KeePassX. And I note their domain has a DV certificate only.
One of these products is fully open source and uses publically audited encryption. The other involves storing sensitive data on a magical cloud and trusting the implementation.
This post seems to make an argument that Lastpass is somehow objectively more trustworthy because someone went to the effort of getting an EV cert. Last time I tried to buy an EV cert, I was shown a string of overseas and blog-spam type websites by Comodo and told I needed to be listed there in order to qualify for EV. The suggestion that jumping through those sorts of hoops:
- Somehow authenticates a company better
- Should be necessary to establish a website can be trusted
Is absolutely absurd.
Now to the main point:
Unless there is “pre-established trust”, encryption on its own without Authentication is useless!
Practical threats and reasons to use TLS include:
- Intercepted credentials on public networks
- Manipulation of traffic by an ISP, such as inserting advertisements
- Mass surveillance
I can resolve any of these with a domain validated certificate. How could you claim these are useless?
We “identify” the identity behind the domain name, but we don’t know if “trust” them or not.
And nothing about authenticating a company name changes this. I can just as easily walk into a physical shop, clearly knowing exactly who they are and where they are, and get ripped off. The one time I had a credit card stolen, it’s because I used it in a restaurant where the staff were skimming. You seem to feel this couldn’t happen, and that instead we need to “trust” a business, if they’ve put their name on a certificate. The majority of the Internet will disagree.
doesn’t say anything about if this person is controlling that domain legitimately or not.
There’s an irony in referring to hacked domains here. If someone happens to hack forums.comodo.com and start serving malware from here, what do you do? Do you:
- Somehow deny this could happen and trust the site, because it has an EV cert?
- Revoke the cert, as you’ve referred to elsewhere - and break the site even after it’s cleaned up?
- Accept that the cert doesn’t have a lot to do with this scenario?