|
|
|
|
|
|
by jfindley
1611 days ago
|
|
|
Absolutely none. It's great for issuers as they get to charge a bunch more money to provide you with exactly zero extra security, which is why some of them try to pretend there's a purpose. There is not. Even the old (ridiculous) argument about user trust doesn't work anymore as browsers have no meaningful display difference these days between normal and EV certs. |
|
|
Yes, browsers have removed the green trust bar.
Yes, ordinary users have to click on small buttons and manually check against different conventions used by CAs (naming, extensions, OID variants).
However, saying that EV provides no extra security not entirely true. At least if we look outside the end-users of a website.
It is also used for: - High security applications that have to ensure their services are trustworthy - As confidence/trust factors in cyber threat intelligence (if you don't want to get blocked on a false positive, EV is your friend) - In domain name research when trying to establish ownership - In machine learning models as an indicator of verifiable trust - Protects against website copying used in phishing campaigns
I'm focusing on HTTPS here as EV is much more relevant in PKI systems.
EV should be affordable, relevant, have good UX and provide identity security for end-users of browsers, but it is not. Until that changes, most website owners should not buy it.