The site SSLFail has rekindled my disdain for the “Extended Validation SSL” farce. It sounds lofty to have a CA validate that you are who you say you are, but all they really do is make sure you are a corporation or entity of some sort. After which (at least for the CA I use, which is one of the major 3), I can order as many EV SSL certs as I want and apply them to any domain that I can register. That includes domains that look like they might belong to someone else, i.e. their brand. I do this on a weekly basis for our clients. I’m not affiliated with company XYZ, but I sure can register a domain and purchase an EV SSL for it!
The first time my company acquired an EV SSL, it required some extra jumps through vague hoops. All I know is that it required a call to our main phone line (someone who claimed to be a receptionist) to then talk to one of the persons on our company charter (?) over the phone (someone who claimed to be the CFO). In our case, of course, these people were legit, but phone verification is ridiculous. I’m sure the CA looked up other things, but really the only information given was our incorporation date and entity type (corporation).
I imagine if I were a sole proprietor or LLC I’d still get approved, or at least an agent of mine would get it approved if they ran my web presence and I wanted EV SSL. Besides, like Blizzard not having real incentive to blacklist accounts or credit cards used to purchase exploitative accounts (read this book), what incentive is there for a CA to turn away my desire to purchase an EV SSL? Hah. Integrity and trust? Only if the process were totally transparent!
The point is, I’m less than impressed by the money-making scheme that EV SSLs are. And even less impressed by browsers forcing this adoption. It really is maybe the first time I think Firefox has failed me.