Well … maybe not.
SSL: great idea; not always well executed. Certificate Authorities (CAs) that issue SSL certificates for websites are supposed to carefully vet the requester, to make sure the business is valid (lookup in D&B, for example), that the administrator actually works for the company in question (HR query), and that the DNS domain is owned by that enterprise. Once all these hoops are jumped through, the cert is issued.
It turns out, however, that it’s much easier and cheaper simply to check whether a given domain name is legitimate (for varying values of “legitimate”) and the person requesting a cert can receive email at that domain. This is what several CAs started to do for SSL—especially during price wars a half-decade ago—and is why https://phish-all-day.example.com could have its SSL cert despite nefarious intent.
Extended Validation (EV) certificates were supposed to solve this problem. By introducing a governance organization (the CA/Browser Forum http://www.cabforum.org/), creating new rules for vetting, refactoring Certificate Policies (CPs), and requiring stringent audits of CAs, EV-SSL-requesting businesses were supposed to receive special scrutiny to avoid fraud and mayhem in cert issuance. Furthermore, and importantly, browsers implement a candy-colored URL status bar
to show users whether they’re browsing an EV-cert-equipped website or not (in truth, browser implementations to date are simply green or not-green specifically for EV-cert status; additional candy-coating is applied for reputation filters and other stuff). A side effect of this newfound rigor is more $$ charged for certificates.
Less fraud is a good thing, yes? Here’s the bad news: EV certs can be bypassed. As reported by The Register, “Websites that use an enhanced form of digital authentication remain just as vulnerable to a common form of spoofing attack.” www.theregister.co.uk/2009/03/28/ev_ssl_spoofing/) More than one person has stated that the green bar really doesn’t matter to users; it’s just a way for CAs to make more money. And although I believe in good intentions of the CA/Browser Forum, it seems that they went after the high-end revenue-generating solution and missed some essentials.