{"id":35861,"date":"2022-05-12T14:13:41","date_gmt":"2022-05-12T18:13:41","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=35861"},"modified":"2022-06-23T17:56:00","modified_gmt":"2022-06-23T21:56:00","slug":"extended-verification-certificates","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2022\/05\/12\/extended-verification-certificates\/","title":{"rendered":"Extended Verification Certificates"},"content":{"rendered":"<p><a href=\"https:\/\/www.troyhunt.com\/how-everything-were-told-about-website-identity-assurance-is-wrong\/\">Troy Hunt<\/a> (via <a href=\"https:\/\/pxlnv.com\/linklog\/website-identity-assurance\/\">Nick Heer<\/a>):<\/p>\n<blockquote cite=\"https:\/\/www.troyhunt.com\/how-everything-were-told-about-website-identity-assurance-is-wrong\/\"><p>Ah, now we know the cert has been issued to DigiCert Inc. in the US. So, all good right? No, because who are they? I mean, all we know is that the cert has been issued to an entity with that name, we don&rsquo;t know if they are a certificate authority or a company that certifies how many fingers you have on your hand (digits - get it?). This is what Ian Carroll demonstrated a few years back when <a href=\"https:\/\/arstechnica.com\/information-technology\/2017\/12\/nope-this-isnt-the-https-validated-stripe-website-you-think-it-is\/\">he got an EV cert for Stripe Inc<\/a>. Perfectly legit cert issued to a perfectly legit entity, just not the one everyone thought it was.<\/p><p>[&#8230;]<\/p><p>Amazon doesn&rsquo;t have an EV cert, inevitably because they&rsquo;re smart enough to realise it wouldn&rsquo;t do them any good if they did! But you see the problem: if DigiCert wants to make the case that you should inspect a cert by drilling down <em>2 clicks<\/em> (not one) before trusting the site, that clearly flies in the face of how the web actually works. Same with eBay. Same with Alibaba. Same with <a href=\"https:\/\/www.silipocoffee.com.au\/\">the little shop I buy my coffee from<\/a>. Don&rsquo;t &ldquo;look beyond the lock&rdquo; because if you do, you&rsquo;re not going to be buying anything online any more.<\/p><p>[&#8230;]<\/p><p>Let&rsquo;s keep humouring DigiCert: how do you look &ldquo;beyond the lock&rdquo; on mobile? You know, those devices that are now massively dominant in the mobile shopping space? <a href=\"https:\/\/www.forbes.com\/sites\/forbestechcouncil\/2021\/06\/25\/behind-the-growth-of-mobile-commerce\/?sh=48d0c315353b\">The ones that account for about three quarters of all e-commerce sales?<\/a> Try it on Safari on iOS. Can you figure out how to inspect a site&rsquo;s certificate? You won&rsquo;t, because you can&rsquo;t.<\/p><\/blockquote>","protected":false},"excerpt":{"rendered":"<p>Troy Hunt (via Nick Heer): Ah, now we know the cert has been issued to DigiCert Inc. in the US. So, all good right? No, because who are they? I mean, all we know is that the cert has been issued to an entity with that name, we don&rsquo;t know if they are a certificate [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2022-05-12T18:13:43Z","apple_news_api_id":"d92a7edf-2e63-476b-b15e-3e2193eca1bd","apple_news_api_modified_at":"2022-06-23T21:56:03Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAAAA==","apple_news_api_share_url":"https:\/\/apple.news\/A2Sp-3y5jR2uxXj4hk-yhvQ","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[19,890,31,2078,386,1200,48,581,171,96],"class_list":["post-35861","post","type-post","status-publish","format-standard","hentry","category-technology","tag-amazon","tag-ebay","tag-ios","tag-ios-15","tag-mobilesafari","tag-phishing","tag-security","tag-ssltls","tag-stripe","tag-web"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/35861","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=35861"}],"version-history":[{"count":1,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/35861\/revisions"}],"predecessor-version":[{"id":35862,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/35861\/revisions\/35862"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=35861"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=35861"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=35861"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}