1. 4

  2. 2

    This isn’t a great article, as it is very glibly just says “Browser vendors don’t like unnecessary UI clutter, especially in the area of security, and between 2018 and 2019, browsers removed the EV indicators in the main UI” which is simply false.

    The EV UI was removed because not only was it not useful, it was actively confusing for users, and that makes it actively harmful. The sole purpose of a certificate is to prove identity, but the only identity that matters is the domain name you’re seeing nothing else. Any identity other than the domain name is incorrect, and that was what EV certs walk into: legal name != brand name, multiple organizations with the same identity, etc and misissuance was fairly trivial as you didn’t need to control a domain you just had to register an entity with the right name and use more or less whatever url you wanted.

    1. 1

      Great write up, had not heard of the proposal.

      I suspect the solution is for browser vendors to flash up a warning about QWACs when encountered warning the user the relevant CA has not been accepted by the browser vendor. Also a setting that allows QWACs to be disabled.