What is the value of an “Extended Validation” (EV) SSL Certificate?

I boils down to one different letter in a domain name

Hans McMurdy started out with a response to my article Why Let’s Encrypt is a really… bad idea” and ended up writing his own article, which I highly recommend. It is very well written because it is clearly addressed to a non-technical audience. This is the kind of thing we in the cybersecurity arena badly need to get much better at doing.

At the end of his response post he asks about whether “…strictly speaking, from a security perspective do SSL EV’s provide any objective protection or value to consumers for things such as phishing, MITM’s , etc?” Like Hans, I started with a response and quickly realized this requires its own article.

What is an Extended Validation (EV) Certificate?

Most SSL certificates are issued after a process called “Domain Validation” (DV). The Certificate Authority (CA) will offer a couple options for this. The two most common are a lookup of what is called a TXT record in your domain’s registration or an email sent to an address at your domain. For the first, the CA will give you the text to use when creating the TXT record. This means you either need to know how to manage your DNS records or have someone…