This topic is frustrating in that there seems to be a wide attempt by people to 
use one form of authentication (DV TLS) to verify another form of 
authentication (EV TLS). 

There seems an issue for people not being able to understand that a FREE 
service with a vey low bar in knowledge requirement on the part of the end user 
(the website owner) will be used across the spectrum of human achievement (good 
and bad).

Economics: If something costs money, they far fewer people will make use of it, 
this has been (one of) the core reasonings behind "Lets Encrpyt" and other free 
SSL service providers. 

Education: If something requires a skill and background knowledge to work 
properly and correctly then far fewer people will be willing to deploy it 
across their websites.

The next level is now that any business or high valued entity should over the 
course of the next few years implement EV certificates (many already have) and 
that browsers should make EV certificates MORE noticable on websites. 

The end nessecity is that the general public need to be educated that a 
"secure" website does not mean an "authenticated" business, person or 
organisation. The general public needs to be aware of the difference between a 
DV and EV certificate. 

The community has spent meany years trying to highlight that lack of secure 
SSL/TLS for websites, that now it's in place, the community needs to highlight 
the different *Types* of certificates available and what they mean for the 
website visitor.

In addition I think this topic seems to be highlighted as an excuse by parties 
who (for some reason) don't like Lets Encrypt and similar services and want to 
use it as a way for people who don't understand what DV TLS actually does, to 
use it to draw attention to others who do not know what DV TLS does, to 
highlight that Lets Encrypt is somehow Bad or Evil for providing a secure 
service for nefarious websites.

Some ideas:

1) Browsers can gradually make the EV certificates more prominent, something 
such as first time a site is visited with an EV certificate that a popup notice 
appears declaring the name and address of the owner of the site. 

2) Websites themselves need to deploy better Content Security Policy practises. 
Very few websites seem to be using CSP despite it being a very powerful and 
flexible tool for preventing any site masqurading as another by "borrowing" 
their media and contents.  

3) There could be a system of word recognition / repetition count for something 
such as browse plugins to detect websites that use the "Paypal" word for 
instance above a certain level and then notifying the user the site is NOT an 
actual paypal domain.

(sorry, I'm sure most of you reading this are well aware of the details, I 
wanted a bit of a vent)
dev-security-policy mailing list

Reply via email to