1

Extended Validation SSL certificates have been effectively abandoned, as web browsers do not even show them as something special, so my question is: how would you go about safeguarding the user from malicious/fake/fraudulent web sites "selling" stuff when in reality they are stealing money and personal information? A ton of hosting providers sell hosting and domain hosting (second level domains) to anyone, including for untraceable crypto, whois nowadays can be hidden/anonimized, we've got free of charge Let's Encrypt certificates for anyone, so a third grader can create a legitimately looking website which most people will never be able to recognize.

My idea has been to have a special kind of an SSL certificate which has been approved by the authorities as [a] legitimate [business entity]. Why hasn't it been done? This looks like easily doable/achievable. Web browsers in this case could show a special icon which says that you're safe. SSL all by itself nowadays guarantees nothing.

Improve this question
6
  • 1
    Your idea is essentially the same as EV certificates. The main reason these were abandoned is that users didn't change their behaviour based on the EV indicator. Personally, I think they were abandoned a bit too readily and more effort should have been put into making them work - or making something similar work.
    – paj28
    Commented Mar 20, 2023 at 14:56
  • @paj28 So the extra question is, why has the initiative been abandoned without ever gaining enough traction. I do remember those certificates used to cost a LOT more (from $500 a year) but for orgs like Amazon/NewEgg/Google/Microsoft that's literally nothing.
    – Artem S. Tashkinov
    Commented Mar 20, 2023 at 15:03
  • Do you want to do business with Scammer LLC, Delaware, or Scammer LLC, Utah? It quickly becomes complex, and most consumers have no idea with whom they are actually doing business with. For instance, buying a laptop from lenovo.com I'd perhaps expect to be buying from Lenovo? No, I'm buynig from Digital River Ireland...
    – vidarlo
    Commented Mar 28, 2023 at 11:16
  • "Scammer LLC" will/should not be certified in any of the "valid" "trusted" countries or states as everything will have to be endorsed by government agencies. That was my point.
    – Artem S. Tashkinov
    Commented Mar 28, 2023 at 11:19
  • But it will be. Business register register business entities, they don't investigate scammers.
    – vidarlo
    Commented Mar 30, 2023 at 8:47

1 Answer 1

Reset to default
1

Well it almost exists. Certificates contain fields referencing the procedures that have been used to deliver them. The main problems are: who cares? and who could be the authority validating that a company is a well behaving one.

I shall just take a real world (non IT world) example: boat flags. A number of countries decided to require a number of controls on their own boats and ask the boat owners to pay for that. And some countries decided to simply ask less money. Panama is certainly a nice country but has a number of boats per inhabitant extremely high...

If you just require a company to find a country to validate it, the same causes will certainly produce the same outcomes: most company will ask the country requiring less money, and that will certainly the country using the less controls.

Of course, USA or UE have enough importance in world economy to be able to setup "labels". But that also mean either a number of agents to control even the smallest company, of the label has to be restricted to a small subset, which is incompatible with the liberal economy.

That being said, UE has setup legal rules for what is required for an electronic signature to have the same legal value as a handscripted one. Simply certificates having that level are rather expensive because every step involved in the delivery has to be traced, and the identity of the owner must be verified in a face-to-face procedure. And I must acknowledge that I have seldom seen those kinds of certificates, except in governmental procedures, probably because of their cost...

Finally the major problem is who could be interested in such labels and who is able to setup them. End clients would certainly be interested but they cannot handle the required organization. Large international companies would certainly both be interested and have the capacity, but the immediate result would be to prevent any smaller company to use internet for their business, and legal authorities of USA and UE would forbid that. Or the alternative would be a higher cost for the organization of the label at the point that they find better not to set it up.

Improve this answer
1
  • Speaking of more malleable/cheaper countries whose governments could circumvent this: an SSL certificate has a Country field, which the web browser could prioritize. So, at least for e.g. US customers the issue could seemingly be solved this way. Of course if you visit a .com website "signed" by the Central South African government, all bets are off.
    – Artem S. Tashkinov
    Commented Mar 20, 2023 at 15:01

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .