[Something1234]

Chrome should have 3 levels of security.

* HTTP (Red Box and Complaining)

* HTTPS w/ Let's Encrypt (No compliants, but no true secure lock.)

* HTTPS w/ a paid certificate (True magical green box)

In fact I think this should apply to all browsers. This might not deal with all of the issues, but it would be a good start. Feel free to point out where I'm wrong.

[firloop]

What makes Let's Encrypt less secure than a paid certificate? Or do you mean EV certs for the "magical green box"?

[cheeze]

Even EV certs don't really matter. Case in point: https://stripe.ian.sh/

Let's Encrypt isn't the problem here. Expecting all CAs to properly verify what is and isn't a phishing website is unreasonable IMO. It just won't happen. Smaller CAs have hundreds of thousands of certs... it's just not possible.

The real issue is that a cert only says "Your communication between this site is encrypted, and you're speaking to the owner of this certificate" (Assuming it hadn't been compromised.) Certs don't make any guarantee that the person you are talking to is a good guy, nor that they aren't trying to trick you into giving your password to them.

[dane-pgp]

Will the extra magic of the green box make users more secure? Does paying for a certificate make the certificate more trustworthy?

These are actually serious questions that I think the CA/Browser Forum are discussing (particularly in terms of the issuing requirements and UI representation for EV certificates), but I think it often boils down to the "feeling" of security, relying on the supposition that criminals would be less successful if their site didn't have the magical green box, or that they would be easier to catch by tracing the credit card payment they used to buy their certificate.