|
|
|
|
|
|
by nailer
4023 days ago
|
|
|
Nearly every CA already has an API to do cheap/free level (DV) SSL certificates for domains you control - all you need is one of: - an admin-looking email address - email mention in whois - ability to upload a file - ability to add a DNS TXT record. Yes, that's a fairly low bar, that's why live.com gets taken over every few years with the same fake-DV-cert attack. This is also why EV certificates exist. Disclaimer: https://certsimple.com, where I work, sells EV certificates, we specifically don't sell DV certs. |
|
|
I'd consider myself relatively security-savvy and I honestly couldn't tell you which of the sites I visit uses EV certs, and I'm fairly sure I wouldn't notice the browser bar change from green if a site got MITM'd with a valid DV cert after having an EV cert.
Pinning obviously helps in that case but AFAIK that works just as well for DV certs as EV.