Is it safe to use HTTP in domain validation?

Thanks for your detailed and precise explanation. I have never truly understand why we need different types of SSL certificates, but now I have. Domain Validation contains less information than Extended Validation. End users should not think that it’s 100% safe if they browse a website that use Domain Validation Certificate.

End users shouldn’t rely solely on the presence of any certificate, even an EV. It’s a good way to make sure that communication back and forth is secured, but is at best a weak sign of identity.

I know that EV have a much more rigorous process for being issued, but it’s still possible for a very dedicated individual to fool a CA into issuance, even if only for a short time. However, if my bank usually uses an EV cert and I’m suddenly presented with a non-EV site, I know to be extra cautious.

Well, certainly if you go to famousbrand.example, and it has a DV certificate, you know only that you are visiting the site famousbrand.example and not whether it’s actually the web site of Famous Brand. But on the other hand, if you go to obscurecompany.example, and they have an EV certificate proving they’re really Obscure Company, so what? Who are Obscure Company? You’ve never heard of them, so being confident this is really their site hardly helps.

I believe there was a US company which was named Trump University and would presumably have been able to obtain an EV certificate for the name Trump University to put on a web site trumpuniversity.example. But of course they were not a University at all, they simply used that name because it made their dubious (some might say outright fraudulent) business look legitimate…

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.