[majelix]

> You're really just wasting your time with a "business validated" certificate. The browser doesn't treat it any differently

If your vendor doesn't do a decent job verifying who you are (and this may or may not mean EV), then browsers won't treat the certificate any differently when it's entirely replaced by someone else either.

[asdasf]

It doesn't matter how good a job your vendor does, if there is a vendor that does a bad job, then the attacker can get a cert from them. The presence of a single bad cert authority renders all certificates useless.