So Let's Encrypt - awesome. On a side note, I was wondering what the difference is between the base certs issued by LE vs. those fancy super, extra double / triple level certs ("EV"? if I recall) practically speaking.
LE enables Domain Validated certs...so you'll get a green lock in most browsers.
The Extended Validation certs gives you the green lock AND the name of the organization. The EV assures you that the company you're doing business with has been vetted...but customers don't know and most have not been educated about the differences in encryption and trust.
The gimmick on the super fancy certs that give the big green bar w/ company name next to the URL is that they supposedly mean the CA has done a super thorough investigation on the company and verified that they really are who they say they are. Those certs cost like $1k from most vendors. This could be valuable if you get a lot of people trying to imitate your company or domain; for example, something like nikeshoes.com v. nike.com. But since most customers don't actually know any difference, the practical value is very small.
By contrast, a normal SSL cert is issued just by confirming control of one of the domain's email addresses.
Technically, it's the the difference between the baseline requirements (for all certs) and the EV requirements (required only for EV), which are at https://cabforum.org/wp-content/uploads/EV-V1_5_7.pdf. In order to get an EV cert, you must pass those requirements, specifically:
- government information sources
- qualified independent information sources
- all domain names must be inspected by a human
- phone calls to your office
Additionally Google mandates Certificate Transparency for EV, so all EV certs have CT as a result.
EV is also required for .onion services, because what would be the point of anonymity unless you actually knew who you were talking to.
In the 90s it took a long a long time for certs to be issued: you'd fax ID to VeriSign, they'd verify your identity and sign your certificate.
DV was introduced by Geotrust as a way of saving money for CAs: DV just means you can register a domain: even if the domain seems like it belongs to a particular legal entity, DV makes no assurances that it does. People can and do get DV certs that seem like they're for major companies all the time. The process is entirely automated, and nobody is asserting any identity: https://google.com.mg and https://google.com.im exist, they're not Google, and that's fine because DV certs don't assert identity.
EV does actually assert a connection between the certificate and a specific legal identity, which is encoded in the certificate, signed and displayed in the browser. EV isn't perfect: you could attempt to be verified as another company. However it is the only type of certificate that assures an actual identity to browsers.
Disclaimer: I work for a startup that's created significantly faster, more painless EV validation. We think it's important that Alice knows she's talking to Bob.
