Extended Validation certificates and cross-site scripting

Posted Mar 13, 2008 23:16 UTC (Thu) by jwb (guest, #15467)
In reply to: Extended Validation certificates and cross-site scripting by gerv
Parent article: Extended Validation certificates and cross-site scripting

    * Verifying the legal, physical and operational existence of the entity
    * Verifying that the identity of the entity matches official records
    * Verifying that the entity has exclusive right to use the domain specified in the EV
Certificate
    * Verifying that the entity has properly authorized the issuance of the EV Certificate

Each of these four items were advertised features of every SSL vendor on the market since day
one.  The "EV" scheme is only giving us what we used to think we were getting at the normal
price, except now at the new, higher price.  And it's fairly extortionate because if you don't
get your cert signed by one of the authorities with a root cert shipping in Firefox and MSIE,
then your business is effectively slandered as being less safe.

A VeriSign EV cert costs 50% more than one without EV.  Now that EV exists, almost any web
business is pretty much required to get one, lest popular user agents badmouth them.

to post comments

Extended Validation certificates and cross-site scripting

Posted Mar 14, 2008 7:30 UTC (Fri) by gerv (guest, #3376) [Link]

"Each of these four items were advertised features of every SSL vendor on the market since day
one."

Absolutely. I wouldn't want to cast aspersions on any low-cost cert company by suggesting that
they don't do that for the $10 you pay. But now they are being audited to make sure that they
are doing it, it seems that prices have gone up. That's a strange thing. Still, that doesn't
make the fact that the vetting is verifiably being done now any less of a good thing.

Bottom line: EV is only extortionate if you _were_ actually getting what you thought you were
getting before. Do you think you were?