[cptskippy]

Once upon a time businesses had to submit paper work verifying their business to a registrar to get an SSL cert. It wasn't just about encryption but also identity.

I remember as late as 2004 trying to scrounge up copies of our business license to fax or mail into our registrar.

Today the SSL cert has lost it's identity aspect and is just a sign of secure communication, not trusted.

[duskwuff]

> Once upon a time businesses had to submit paper work verifying their business to a registrar to get an SSL cert. It wasn't just about encryption but also identity.

And those policies made it impossible for personal and hobbyist sites to use secure communications, while doing very little to actually prevent abuse. (Most of the apparent "success" of these policies was simply because the motivations for abuse were lower at the time.)

[devwastaken]

SSL was never a sign of trust. That's what people made up. The algorithm has no intention of 'trust'.

Ease of SSL certs provides significantly better protection from threats between you and legitimate sites than potential illigitimate sites.

[cptskippy]

Originally SSL required identity verification and financial costs were very high.

Fraudulent SSL certs weren't a thing because the barrier to entry way so high and the rewards for spoofing a site were low since e-commerce was insignificant.

[nine_k]

Extended validation certificates still exist, and do require the paperwork.

[tonyedgecombe]

As do code signing certs (for Windows developers).

[cptskippy]

Yes and no one really gives a crap about them anymore.