[k_sze]

Then the problem isn’t really with the EV cert itself, no?

What if browsers were designed such that for each website, over HTTPS or not, the first X times you visit it, the browser forces you to review the relevant WHOIS and/or certificate info in a modal? And also force you to review the certificate if the certificate has been renewed/replaced?

[akerl_]

Who are these hypothetical users who are going to conduct a thorough review of Whois/cert data the first $n times they go to a site?

I’m a security-conscious, technically savvy user of the internet, and I’m neither convinced I would put up with this for more than a day before disabling it or that it would improve my security if I were to try. I’m pretty confident my eyes would just start glazing over the 5th time I scrolled through cert metadata.

[k_sze]

My hypothesis is that users just need to have an in-your-face reminder that they are venturing into uncharted territory whenever an unseen domain and/or certificate comes up. The "X" in my "first X times" could be as low as 1.

You also don't need to show all cert metadata; just enough to be meaningful to the user. I believe that stuff like certificate signature, public key, and hash don't need to be shown to the user in such a modal dialog; they could be automatically checked against certificate transparency logs.

What you want to show to the user in such as modal is stuff like:

  - entity name
  - business registration jurisdiction
  - business registration number

That's the kind of info that the CA ought to validate diligently. That's also the kind of info that people use to validate the identity of businesses in the physical world.

The modal should also have clear wordings in big letters of what a certificate actually means, namely, that the communication with the server is safe against eavesdropping and forgery, but that it's the user's responsibility to make sure the server is not an imposter - e.g. similar name or same name but registered in a different jurisdiction than the legitimate entity.

It's a lot about education, awareness, and timely reminders.

The alternative, which is to hide any indication of EV from the user, seems to be throwing up our hands and just assume users are always dumb and lazy. In that case, why bother with, not just EV, but any certificate at all?

[snowwrestler]

Do you look at the business license of every store you walk into? Probably not.

But you have a latent expectation that the store is known to local authorities, who will be able to investigate a crime if that business commits one.

The information in an EV is not for consumer inspection up front, it is a paper trail for investigations to follow after the fact. The optional provision of this paper trail is a signifier to the consumer that this business intends to operate responsibly. Just like going through the trouble of setting up a store front is more trustworthy than pulling a truck full of inventory up to the curb.

What browsers could do better is leverage the EV info for consumers. For example, show a "report a problem with this business" button that connects the consumer with the relevant authorities and/or Better Business Bureau in the locality where that company operates. The EV supplies the legal company name and its locality of origin.