The CA's Role in Fighting Phishing and Malware
letsencrypt.orgThis has always puzzled me about SSL certs. Most site owners want to ensure that communication to and from the server is encrypted and secure from all prying eyes, period.
Other site owners also want to add to this the concept of trust, to prove who they are has been legitimately verified by a trusted third party.
That the two mechanisms are forced together is not ideal. The lock symbol symbol should symbolise the encryption. Another icon should be used to denote trust.
Snowdon has uniquely proven that all data must be encrypted both in communiqué and ideally also at rest.
Is encrypted communications and verified trust mutually exclusive or not. Discuss!
A classic example is this[0] debacle, wherein a legitimate user struggles with all forms of difficulties because a CA took it upon themselves to police the certificates they issue.
Similarly, I bought a certificate from that same company and because it was for a well known brand I was made to jump through all sorts of verification hoops, despite being a DV certificate.
I won't link it here but I came across a stresser service quite literally selling DDoS tools, advertising that they accept bitcoins for anonymous attacks - who happen to have an EV certificate and give users a big green bar.
Does that make it a legitimate business? SSL vendors what you to think so.
[0] https://forums.comodo.com/ssl-certificate/comodo-rejects-pos...
https://news.ycombinator.com/item?id=10473966
My link is newer, just 2 hours old, but these look like the exact same article to me.