←back to thread

489 points gslin | 7 comments | | HN request time: 0.861s | source | bottom
1. wannacboatmovie ◴[] No.42191675[source]
Nothing makes me trust a site with my payment info more than seeing a LE or domain-validated certificate with no ownership details in the DN.
replies(3): >>42191704 #>>42192128 #>>42192826 #
2. aaomidi ◴[] No.42191704[source]
The rate of misissuance of EV and OV is much higher than DV.
replies(1): >>42191748 #
3. wannacboatmovie ◴[] No.42191748[source]
Source? I'm not questioning it, I'd like to know more. DV always seemed vulnerable to DNS tampering.
replies(2): >>42191943 #>>42200064 #
4. ta1243 ◴[] No.42191943{3}[source]
And EV is vulnerable to a fancy looking fax (remember them?)

Do you really check your site has an EV every single time? Especially now browsers treat them the same?

If not, how do you know someone hasn't got a DV certificate for this specific visit?

Scott Helme has a thorough takedown of them, and that was 7 years ago when they were still a thing.

https://scotthelme.co.uk/are-ev-certificates-worth-the-paper...

5. sunaookami ◴[] No.42192128[source]
HTTPS does not validate the trustworthiness of a site. Never has and never will. It only validates that the site has not been tampered with during transfer. Phishing sites can also have HTTPS, that doesn't make them trustworthy.
6. jonathantf2 ◴[] No.42192826[source]
Google.com (and my bank) use a DN certificate, if it's good enough for them it's good enough for anyone.
7. aaomidi ◴[] No.42200064{3}[source]
I’m active in the WebPKI community (you might want to check out my Substack: https://webpki.substack.com/)

EV and OV when it includes dns names still requires domain control validation anyway.

EV certs are generally manually verified. This means there’s a human factor in the middle of this process. DV certs can, and should, be fully automated.

Multi perspective validation is about to be required too: https://cabforum.org/2024/11/07/ballot-smc010-introduction-o...