As a Namecheap customer I was very very disappointed with this post when I read it yesterday. Also, it looks like they deleted a comment on their post from someone else who was disappointed and called them out on their FUD.
Much better, but they're still arguing that somehow, non-EV certificates with identity validation are more valuable than DV certificates because users are going to look up the certificate details.
> We think that validation of a certificate’s owner is an important point that needs to be highlighted and discussed. Recent developments in SSL automation are fantastic from a technical point of view, however, consumers need to be educated on this new security paradigm and the appropriate signals to look for when making a security determination. Looking for ‘https’ and a lock in the browser bar, the traditional indicators that have been messaged as reliable, may not be so reliable anymore when it comes to the consumer definition of security.
This is laughable. It's been hard enough to get users to check for the presence of a security indicator at all. Most don't even know the difference between DV and EV, and EV certificates do have a strong visual indicator. OV certificates don't have any, except
Hell, I might not realize in time that my online banking session only has a DV certificate today instead of EV and I'm a professional.
Sure, I sometimes check which CA a particular site is using, out of curiosity. But no normal user is ever going to do that on a regular basis.
> Additionally, any time we receive a report of abusive activity and/or fraud involving a certificate, Namecheap works with CA’s to investigate the reported sites, and CA’s often take quick action to revoke site certificates as a result. This third-party revocation capability is important; it provides an additional layer of post-issuance protection.
Soo... How does that protect me as a Namecheap customer? Buying from Namecheap doesn't mean that an attacker couldn't request a Let's Encrypt certificate anyway, unless you use cert pinning and you can do that with free certificates. There are some enterprise use cases where you'd just pin the CA instead of single certs, but those only matter at scale.
Namecheap is right about OV certificates being more trustworthy than DV ones, but the thing is - it doesn't really matter.
> Additionally, given recent developments, we strongly believe that additional education is required on the correct signals for consumers to use when making a security determination; browsers must necessarily shoulder some of this responsibility,
Like.... EV certificates? C'mon, browser vendors aren't going to add another security indicator just to protect your revenue.
Yeah, their points are all pretty shaky. I've been a fan of Namecheap for awhile because of their past support for a better internet, but it's extremely disappointing to see this post from them.
I guess I didn't expect them to put their profits over what's best for the web.