[tokenizerrr]

This is not what regular style certificates verify. That is what Extended Validation certificates verify and they're not issued by letsencrypt.org and generally are a lot more expensive.

The only thing that regular-style certificates verify (this is what current CAs do, you can also grab a free one with automatic validation at https://www.startssl.com/) is that the person who controls the domain name has requested the certificate. This is usually done by serving a specific file over HTTP once, setting a TXT DNS record or responding to mail to postmaster@yourdomain.tld

[toomuchtodo]

> This is not what regular style certificates verify. That is what Extended Validation certificates verify and they're not issued by letsencrypt.org and generally are a lot more expensive.

I'd like to see LetsEncrypt move into this territory though. What current private business providers are charging for this service is border-line extortion.

[schoen]

EV validation will have a marginal cost because of the offline interactions. DV can be done at almost no marginal cost. That's why Let's Encrypt can exist at all.

[icebraining]

FWIW, you can already get an SSL cert for $4/year.

[Buge]

"this territory" was referring to EV certificates. Those cost more than $4.

[icebraining]

I misread the post, sorry :|

[lifeisstillgood]

But the certificate is (supposed) to say we have verified that this person / organisation exists and is "allowed" this domain.

Now if we extend the idea of every business or even human having their own (sub)-domain (lots of good benefits there) then we are in the territory of ensuring the CA's track you from birth - that's what governments do, and boy are they expensive.

I think what I am saying is we either have CA we can trust or we dump the whole thing and go to web of trust

[tokenizerrr]

That ship has sailed years ago. And now we have EV certificates to deal with that problem.

[schoen]

For the time being, it's DNS registrars who define who is allowed particular domain names, and DV CAs just try to draw the connection between what the registrars have said and the server you're visiting at a particular moment.

[lifeisstillgood]

Well. I missed that memo. Or rather I kinda sorta knew it was getting devalued, but a Padlock in my browser is something I trust. If it's not trust worthy or verified should we not go the whole hog, dump trusted public keys from all browsers and move to the web-of-trust / certificate pinning.

From the blog:

   just too much of a hassle. The application process can be 
   confusing. It usually costs money. It’s tricky to install 
   correctly. It’s a pain to update.

If the reason there is not enough SSL around is because it's too much hassle for webmasters, I doubt there is a solution. If you want to take payments you get SSL. if that's too much hassle PCI compliance is going to really stretch you.

[hueving]

The padlock means you are connecting to the owner of that domain. That's a very valuable guarantee.

EV validation and whatnot is essentially a nice way to burn a ton of money on borderline extortion.

[velox_io]

Vanilla SSL verifies the the website is legit, EV verifies that the business is legit. More competition will lower the price, there's tons of room for cheaper & faster EV providers.

[nailer]

> But a Padlock in my browser is something I trust.

On the padlock note, Microsoft Edge shows a hollowed out, grey padlock for DV certificates.

Only EV certs get a full green one (as well as the legal name as other browsers show for EV). See https://certsimple.com/blog/dv-ssl-in-microsoft-edge

[eric_bullington]

> Microsoft Edge shows a hollowed out, grey padlock for DV certificates.

Firefox does the same. Luckily, Chrome is unlikely to do the same, since google.com itself is "only" domain validated.

[finnn]

Now we just need to add a big red icon for http sites...

[cpach]

Mozilla actually have announced their plans to deprecate plain HTTP: https://blog.mozilla.org/security/2015/04/30/deprecating-non...