[amalter]

I posted another response off this article and I still don't quite get the gist of his response?

> The system we built in the 90s would have protected against this attack.

Is "the system" the human to human EV certificate process? There were so many obvious and awful social and technical engineering holes in that process that I find it hard to believe anyone would defend it?

Certificate expiration was always a danger. There was a single technical contact that could be spoofed or just walk away with the private key. The wider web audience never noticed the EV annotation, and basic human factors tells you they never would. Heck, we can't get people to notice HTTP downgrade attacks. The only protection is TLS everywhere - which never would be possible with slow and expensive authorization methods.

(I suppose it was good business for Verisign though...)