Practical difference between a DV and EV/OV SSL certificate?

security ssl-certificate

An OV/EV certificate would contain the O (Organization), C (Country), etc values (part of that the CA states that they have validated), all visible to any user who actually decides to look at it.

In more detail, if we look at two different major branches of browsers:

For Chrome (92): for EV it shows directly in the overview that pops up when you click the padlock symbol "Issued to: O [C]" (Organization name and country)
For Firefox (90): for EV it shows directly in the overview that pops up when you click the padlock symbol "Certificate issued to: O" (Organization name)

(The "green address bar" mentioned in the question is in reference to a historical UI element that showed essentially the above information directly in the address bar.)

For Chrome and Firefox: for EV as well as OU, if you click through to view the actual certificate and go to the "Subject" section, you would have the full list of claimed information about the subject. O (Organization), OU (Organizational Unit), L (Locality), S (State/Province), C (Country), whatever else may be included.

So it is all there and can theoretically be inspected by any end user. The problem in this regard is that it is very rarely actually viewed by users in practice.
I suppose there is a slightly higher chance that the summary for EV certs (with O and sometimes C) is seen by a user, but even that is a real long shot.

And for completeness, any of these certs only contain the values about the subject that have been validated by the CA, meaning that for DV certs, the subject section will not have any of this information as the CA has only validated that the subject controls the domain name in question. The useful part of a DV cert would really only be the SAN section, but that is what the browser is already validating for you and throwing a fit if there is a mismatch.


I will let Troy Hunt's "Extended Validation Certificates are (Really, Really) Dead" (August 2019) answer your question. The older article has all the examples with pictures, but to summarize:

The only proponents of EV seemed to be those selling it or those who didn't understand how reliance on the absence of a positive visual indicator was simply never a good idea in the first place.

– – no more EV and the vast majority of web users no longer seeing something they didn't even know was there to begin with! Oh sure, you can still drill down into the certificate and see the entity name, but who's really going to do that? You and I, perhaps, but we're not exactly in the meat of the browser demographics.

Comodo is free to state anything while trying to make profit with this product as long as they can.

Also, criminals could use the ComodoCA Trust Logo on e.g., a phishing site as they are already breaking the law and, therefore, it would not add much to their burden of sin.

Related

Connecting two nodes, dynamic tcp connections tunneling through a central server
Broken lvm results in read_urandom error
[service I created].service: Failed to execute command: Permission denied
What does the TW mean in NANYA RAM?
Postfix smtp mail to external hosts not possible
P420i controller / 2 disks failed in RAID5 / RAW FS after parity initilization
Linux IPSec Tunnels does not forward IP Packet with ECN bit set to CE (Congestion Experienced)
How to add ipv6 to Google cloud firewall rules
How to Enable IPV6 on Windows Server 2012 R2 (Cloud Google VPS)
Beginner: Ansible The offending line appears to be
How to install libsrtp 1.5 on Centos 7?
How can a bog-standard Wordpress install break PHP?