but then the issue is the illusuion of security to the not so technically intrested people.
point 9is even though weak security is better than none if a weak security isnt properly shown to the user it gives the impression it’s more secure than it actually is, which is also the reason why RC4 is disabled in many browsers (exccept firefox which actually asks to “load page with outdated crypto” before actually loading the page)
also an intresting point is that Firefox kicked the lock icon into oblivion in version 4 (even though it reappeared in version 14) because the lock always leaves the impression it’s perfectly secure and stuff while the Green EV bar was not that popular at the time and/or that banks and other stuff mostly pointed out “look for the lock” and that remained in the memory.
way back when certificates were a lot more expensive that was true because SSL certificates were a lot more expensive (well obvious) which for one point lowers the number of attackers that will even try that approach and not to forget that SSL Certs back then had way higher validation standards which are pretty similar to EVs today.
that’s the part where the Identity bar from back then comes in. it either listed the entity name for EVs or the domain name for DV/OV certs, which also makes it easier to discern these attacks where an attacker uses a really long subdomain which looks like a path. because even if the user did not look for the green bar it was pretty obvious from the identity bar that it was not your bank site.
a development of the browsers that made stuff actually worse is how chrome and FF do the lock handling. I dont know since when chrome always uses green locks but Firefox iirc does it since version forty-something, I am not sure. IN MY OPINION, green is a color that should be reserved for EVs and it should use another color for DVs like grey which was used before, or the blue from the identity bar in FF versions 4-13. the even more intresting part is that actually microsoft (the company which had the worst browser for a long time, as seen by their standard support) actually implemented grey, hollow locks for DV/OV certs in more recent versions of Edge, why I dont actually understand the point of making it hollow because the encryption is actually not weaker than EV, but just the verification, which is the point of the lock losing its green color.