[lifeisstillgood]

Well. I missed that memo. Or rather I kinda sorta knew it was getting devalued, but a Padlock in my browser is something I trust. If it's not trust worthy or verified should we not go the whole hog, dump trusted public keys from all browsers and move to the web-of-trust / certificate pinning.

From the blog:

   just too much of a hassle. The application process can be 
   confusing. It usually costs money. It’s tricky to install 
   correctly. It’s a pain to update.

If the reason there is not enough SSL around is because it's too much hassle for webmasters, I doubt there is a solution. If you want to take payments you get SSL. if that's too much hassle PCI compliance is going to really stretch you.

[hueving]

The padlock means you are connecting to the owner of that domain. That's a very valuable guarantee.

EV validation and whatnot is essentially a nice way to burn a ton of money on borderline extortion.

[velox_io]

Vanilla SSL verifies the the website is legit, EV verifies that the business is legit. More competition will lower the price, there's tons of room for cheaper & faster EV providers.

[nailer]

> But a Padlock in my browser is something I trust.

On the padlock note, Microsoft Edge shows a hollowed out, grey padlock for DV certificates.

Only EV certs get a full green one (as well as the legal name as other browsers show for EV). See https://certsimple.com/blog/dv-ssl-in-microsoft-edge

[eric_bullington]

> Microsoft Edge shows a hollowed out, grey padlock for DV certificates.

Firefox does the same. Luckily, Chrome is unlikely to do the same, since google.com itself is "only" domain validated.

[finnn]

Now we just need to add a big red icon for http sites...

[cpach]

Mozilla actually have announced their plans to deprecate plain HTTP: https://blog.mozilla.org/security/2015/04/30/deprecating-non...