Types of SSL certificates and their value
Domain validated SSL (DV)
Once upon a time, businesses selling SSL certificates told you to get a SSL certificate to gain trust from your website visitors. This little green lock in the browser bar would make you sell more. Now that Domain Validated certificates are free and everywhere, those same businesses are telling you that this is not enough to gain trust, or even worse. So, now you need to buy a new type of SSL certificate.
Organisation validated SSL (OV)
Before issueing an Organisation validated SSL certificate some vetting of the organisation applying for the certificate is carried out, and this information shows up in the certificate.
Extended validated SSL (EV)
Before issueing an Organisation validated SSL certificate even more vetting of the organisation is carried out, resulting in a certificate displaying the organisation name in green on the browser bar.
The general public knows about the green lock. If everyone realises what the green lock actually means, I don't know. I often wonder how many internet users actually look at the issuer of a certificate, and base their trust on that. Not many I think. Ask around. "Do you look at the issuer of a SSL certificate when you are buying something online?", many glazed eyes I guess. "Increased customer confidence" is a hollow phrase, imho, there is no visual difference between a DV or OV ssl certificate, and even EV certificates don't always stand out enough to catch the eye. And, EV certificates come in many, indistinct, flavors.
Recently there have been news reports about the "green lock". Once, it meant trust. Now, it doesn't mean a thing, or worse, you have to be extra careful. The businesses selling the certificates are to blame.
Secure, or Trustworthy?
SSL certificates actually do only one thing. Traffic between your browser and the server you visit is encrypted, so others can't see what you are sending to and recieving from eachother. That's all, that's it. If you mix trust in the valuation of SSL certificates things get shady. Trust is a value sold. Encryption is a technical thing. Mixed, it's a discussion. We shouldn't.
Let's get rid of the certificates.
Domain validated SSL certificates are used and valued for a single purpose, secure information exchange. There are many holes in the supply chain, so their value to ensure identities is marginal at least. Let's forget that. Let's standarize encrypted traffic, without the use of issued certificates. Encrypt everything. Yes we can. So we don't need domain validated SSL certificates anymore. And, since OV certificates don't do much for the general public, get rid of them too.
Value of Extended Validation SSL (EV)
There are many business selling Extended Validation SSL certificates. They range in prices from USD 200 to USD 3000 per year. The vetting of the companies applying for an EV certificate seems to differ a lot. Does that show in the certificate? No. It's a "green bar certificate". Again, the general public, if they see the "green bar" at all, cannot tell the difference between green and green. Sure, the companies "allow" you to put an extra badge of some sort, a "site seal" on your site. Most likely it messes up your site design, and, shouldn't "Extended Validation" speak for itself?
Is SSL an International or only "Western" thing?
If you look at Russian or Chinese (government) sites, it seems they don't care much for SSL. Only companies operating in "the west" go for SSL. You may argue that SSL is a danger for oppressive governments, since it makes spying on their citizens more difficult. Or, maybe they don't want to use encryption controlled by Western countries, where intelligence agencies may have access to encryption keys? Afaik, there are no active, independent Russian or Chinese certificate authorities, supplying certificates for the "general public", like in "the west".
In the begining of the Internet, people didn't think much about encrypting traffic to avoid spying. Encryption has been "hacked in" later on, and became, in a way, controlled by commercial companies. Let's get rid of SSL certificates, let's make encryption standards without the need for certificates. Built in client and server encryption, for all.
I am all for having a way to ensure identities of Internet sources. But, should we entrust privatly owned companies with that? Companies bound to a location? The internet isn't. There are quite a few big companies, who issue "the highest trust" certificates, to themselves. To themselves, isn't that paradoxal? We from "the highest trust company", trust "the highest trust company", and therefore you and your clients should trust "the highest trust company". Tell that to China and Russia. They don't trust US based certificate authorities.
As long as EV certification is not an Internationally accepted and used standard, which can be trusted by all countries, EV has some way to go. Green is the color of money, for now, and that's US dollar green.
Even Cabforum, the organisation that laid down the SSL certificate guidelines for all, is lead by people working at commercial, SSL selling, companies....