This topic is frustrating in that there seems to be a wide attempt by people to use one form of authentication (DV TLS) to verify another form of authentication (EV TLS).
There seems an issue for people not being able to understand that a FREE service with a vey low bar in knowledge requirement on the part of the end user (the website owner) will be used across the spectrum of human achievement (good and bad). Economics: If something costs money, they far fewer people will make use of it, this has been (one of) the core reasonings behind "Lets Encrpyt" and other free SSL service providers. Education: If something requires a skill and background knowledge to work properly and correctly then far fewer people will be willing to deploy it across their websites. The next level is now that any business or high valued entity should over the course of the next few years implement EV certificates (many already have) and that browsers should make EV certificates MORE noticable on websites. BUT: The end nessecity is that the general public need to be educated that a "secure" website does not mean an "authenticated" business, person or organisation. The general public needs to be aware of the difference between a DV and EV certificate. The community has spent meany years trying to highlight that lack of secure SSL/TLS for websites, that now it's in place, the community needs to highlight the different *Types* of certificates available and what they mean for the website visitor. In addition I think this topic seems to be highlighted as an excuse by parties who (for some reason) don't like Lets Encrypt and similar services and want to use it as a way for people who don't understand what DV TLS actually does, to use it to draw attention to others who do not know what DV TLS does, to highlight that Lets Encrypt is somehow Bad or Evil for providing a secure service for nefarious websites. Some ideas: 1) Browsers can gradually make the EV certificates more prominent, something such as first time a site is visited with an EV certificate that a popup notice appears declaring the name and address of the owner of the site. 2) Websites themselves need to deploy better Content Security Policy practises. Very few websites seem to be using CSP despite it being a very powerful and flexible tool for preventing any site masqurading as another by "borrowing" their media and contents. 3) There could be a system of word recognition / repetition count for something such as browse plugins to detect websites that use the "Paypal" word for instance above a certain level and then notifying the user the site is NOT an actual paypal domain. (sorry, I'm sure most of you reading this are well aware of the details, I wanted a bit of a vent) _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy