undefined | Better HN

0 pointsseandougall6y ago0 comments

> a scammer may need to get certs for a large number of domains.

Why? In the m1cros0ft.com example, you just need one domain, and you can send a phishing link out to millions of addresses.

> And unfortunately, a whole generation of computer illiterate users believe that lock means the site is legit.

That's exactly why EV doesn't help, because those users _also_ don't know that the absence of green is supposed to carry semantic meaning. In fact, those users largely don't know or care what a URL is in the first place.

HTTPS everywhere is unequivocally a good thing. I can (and do) personally run websites that have active user accounts precisely because of LetsEncrypt; it would be a terrible idea to train my users that they should type a password into a form that's submitted over HTTP. But I don't have a budget to pay rent-seeking CAs for certificates whose value is based on artificial scarcity.

0 comments

1 comments · 1 top-level

ocdtrekkie6y ago

Because m1cros0ft.com is highly likely to get shut down or blocked, and then you have to register m1cr0s0ft.com and so on.

j / k navigate · click thread line to collapse