Alrighty, let's tear this apart because the FUD from the CA Security Council is deafening. We'll start with this short video:
The CASC includes some of the world's largest commercial certificate authorities and is pushing hard to drive the adoption of EV certs in an era where it's increasingly hard to make any money from DV
It's a very marketing-centric consortium including the likes of Comodo, Entrust and GoDaddy, all of which have some rather "notable" history as it relates to marketing certs
For example, seeing the impending threat of @letsencrypt, Comodo attempted to trademark the name "Let's Encrypt" then their CEO defended the move by saying "How can you prove it was them who made [the name] up?"
Entrust has been making claims such as "it is known the EV is safer than DV" without any supporting facts and then basing phishing prevalence on a non-sensical argument @sleevi_ shot down in this thread:
GoDaddy have been flat out lying about what Chrome will look like later this month when the visual indicators change in an attempt to sell certs (and also, "an SSL"?!) as pointed out by @Scott_Helme in this thread:
Back to the video, it's published on the "Connect Marketing" channel and they're also the contact on the CASC's about page. Their mission is to "get more qualified leads" so it would be fair to say that marketing is a cornerstone of the CASC's mandate here.
The video then talks about all the visual indicators you get in the browser when EV is present: padlock, org name and (usually) the country ID. But it doesn't mention that you don't presently get this in Chrome on Safari.
It also doesn't mention that Google is actively testing removing the visual indicators from Chrome on the desktop:
Furthermore, the EV indicators is going from Safari on both iOS12 and Mojave when it lands in Sep so there's a MASSIVE slice of the web audience no longer seeing the org name:
The video says "the most trusted websites are authenticated with an extended validation certificate" and "checking for these indicators will help protect you against fraudsters". Really? Let's check the world's largest, most phished sites:
Facebook, eBay, Amazon, Netflix, YouTube, Google, Microsoft, Gmail, Instagram, Snapchat, Pornhub, Yahoo and even Connect Marketing - none of them have EV! So do you *really* think people are looking for EV before trusting a site? Of course they're not.
The crazy thing is that the CASC is selling EV to the very parties it does nothing to protect: if you buy an EV cert for your site, that doesn't stop a phishing site getting a DV cert which people trust just as much because 99.x% of people have no idea what an EV cert is anyway!
Here's the crux: EV only stops phishing if people change behaviour in its *absence*; when almost every major website doesn't have it and browsers are removing the visual indicators, do you *really* think people are just leaving the site and not trusting it when they don't see EV?
Lastly, I'm not against EV, I'm against the misrepresentation of what it achieves. By all means, go and get an EV cert, but don't expect it to make an ounce of difference to your customers getting phished.
