It's not easy being green: EV HTTPS cert seller Sectigo questions Chrome's logic in burying EV HTTPS cert info

Re: EV certs: waste of money

"Which one is the correct one?"

Doesn't really matter - just pay more and you can whatever you want in an EV certificate. The point is to make money, not improve security.

Google gets to improve web security so that..

Web apps and PWAs can take over. They want everything to be web based so they can realise their mission of organising the worlds information and making it more accessible. Eliminating plaintext protocols, alongside the implementation of CA pinning, helps achieve that goal.

I happen to think the web is a dumpster fire these days and that native apps are better. But developers seem to disagree, opting for bloatware like Electron... bloatware which makes Java look like Mo Farah.

Re: Google made the decision?

Why would you need to click to check for the details, just the visible difference next to the address bar is enough to show you've landed on the bank's page instead of a phishing site and (hopefully) the real bank has taken the trouble to apply for an EV cert and the domain registrar has taken the trouble to verify that.

It's one more thing you check along with the address to make sure you're at the right site. Idiots are going to enter their password into anything, but it doesn't mean other people didn't find it useful.

As Silly Valley only measures metrics based on where the mouse pointer is or what people clicked on they missed the point. It only takes Google to do something for everyone else to follow suit like lemmings.

Internal CA not that difficult

If you control the distribution of keys to users machines, set up a Certificate Revocation List on a server somewhere and be sensible with the signing process it's not difficult to run an internal CA. There's various tools to help manage and automate too,

For small organisations you can do it yourself with the like of XCA or if you want to be really hard core techie OpenSSL on the command line.

Kinda a false choice though, isn't it?

Going backwards to fully user managed certs WOULD be a nightmare. That is kind of like saying dropping all forms of light other than the sun would be worse than only using matches. Technically true, but still backwards.

The EV part of EV certs doesn't fix the problems that are inherent to SSL/TLS as implemented. That doesn't mean the idea is without merit. I'd suggest separating the EV part so it can be an add on independent of the issuing CA (Better Competition) and improve both it and the certificate architecture to address the glaring chain of trust issues. Specifically, we need to address the SSL/DNS conundrum that any CA can issue a cert for any domain. Part of the domain registration should include designating your allowed DNS and CA's, so only the CA you actually use can issue a cert clients will accept as valid. No more banana republic issued certs cloning other peoples domains. Then the EV endorsements can provide additional confidence for critical services and raise the cost of exploitation to make domain spamming less cost effective. It would also make it easier to exclude bad actors, both as CAs and EV endorsers.

Certificate pinning plus strong authentication = WIN

Have DNS-over-HTTPS backed by DNSCRYPT convey the correct CA for the site you’re about to use. If it doesn’t match, reject it. Then to ensure phishing can’t happen, just force users to use tokens. Banks can afford to hand out dedicated devices to account holders and ordinary sites can just have users enrol with a TPM (standard in PCs) for webauthn or authenticate using their phone with a QR code (similar to WhatsApp).