I'm seeing a lot of discussions about financial and specifically banking sites here. For the average user, there's no reason or need to phish a particular financial site.<p>One of our engagements sent users to a site we just made up, and asked for user credentials for a site they had never heard of in order to access cat videos. In most cases, we were given valid domain credentials. I'd bet money a high percentage of those were also banking credentials. What good would an EV cert at the bank do for this?
EV is very useful when banks decide to host some parts of their online presence on what sounds like a phishing domain. Think "onlinewebconnect.com", which redirects through "live.logonvalidation.net" (Saxo Bank - they're hip enough to have their own TLD but apparently not smart enough to actually use it for something good) or the various domains banks liked to use for their "3D secure" login process.<p>It also drives the cost of phishing attacks up significantly. Sure, you can get a confusing cert issued, but if it requires you to <i>create a new company</i>, it's not going to be used in mass phishing attacks.
They were pretty silly in the first place. All it did was emphasise what a giant scam the CA business is: either all certificates have undergone meaningful validation, or none have, having higher and lower grades is .. broken.
Another way to look at this article is: The browsers are killing EV certs.<p>That seems to be the bulk of the point he's making, EV certs are dead because, especially on Mobile, you can't even tell they are there. He doesn't really, in my mind, support the case that EV certs never were worth anything. I definitely liked to see them when I went to my banks and the like. But I'll admit that I don't remember which ones had them and which didn't, other than that I expected my financial institutions to have them.
I may be different, but to me it seems that EV certificates are useful for dealing with domain typo fishing. Google.com is pretty short and memorable. However, when I type my bank's address, especially if it is a small bank, seeing the EV certificate gives my more confidence that I did not make a typo in the URL. Given that LetsEncrypt makes if free and painless to set up https if you have control of a domain, the EV certificate just gives me just a little bit more comfort over a DV especially for sensitive information.
It's got more credence coming out of Troy's mouth than, say, a random commenter's like mine, his somewhat bit too scathing snark notwithstanding, but on the "stripe.ian.sh" thread a few months ago I observed [1] that EV, or rather, people's mental model of the trust that EV confers is broken. People typically care about whether the site they arrived at was the one they were intending to visit, which the computer can't possibly know without additional input, but EV has attained a role of serving as a flawed signal of such, because the browser bar said something that doesn't look alarmingly different.<p>What we're seeing now is the convergence of forces that are pushing short-lived, automatic DV certs and players who are keen on de-emphasizing EV's imperfect role as a destination surety signal.<p>Big sites can get by with DV because people trust big sites by fiat, just by mental associations they already have to a URL. There's no benefit to Facebook having an EV cert, because literally everyone who'd want to visit Facebook knows Facebook's URL. User error about entering credentials on the wrong site -- accidentally due to typosquatting, or through leading such as phishing -- is better mitigated in other ways: multi-factor authentication (especially unproxiable such as U2F); not by making the high-profile site pay thousands of dollars for a text string in green, when there's users who fall victim to phishing from bizarre domains too.<p>[1] <a href="https://news.ycombinator.com/item?id=15904513#15909273" rel="nofollow">https://news.ycombinator.com/item?id=15904513#15909273</a>
I actually found EV useful especially when logging in financial websites. Of course most people can't make the difference between http and https but I thought this issue will only be fixed by time.
I get that it's unreasonable to expect users to distinguish EV from DV certs.<p>But a machine should be able to distinguish. There should be an Expect-EV pin header, just like HSTS and Expect-CT. That way you can be sure the certificate wasn't issued via DNS hijacking.
I actually kind of agree that EV certificate inspire more confidence when buying something on a dodgy website that you never heard about. But for that one needs to be tech savvy enough to even recognize what an EV certificate is and how it is different from a DV cert, and I am sure that even most developers aren't sure exactly, let alone the wider population. So I doubt it gives much benefit to any website.
Google seems intent on creating a more confusing UX in regards to EV certs as EV looks more similar to Non Secure than secure sites in Chrome 69.<p>For now this has given me the impetus to ditch Chrome. All of the other major desktop browsers still provide useful UI for EV certs. I’m less inclined to deal with finances on mobile through a website anyway, as every financial org I’ve had to deal with has an app, and Apple ends up being the gatekeeper in that realm.<p>Hopefully there will be some sort of push for useful additions to certificate security coming out of Google, as right now they seem more determined to just be undermining things.