zlacker

[parent] [thread] 1 comments
1. roblab+(OP)[view] [source] 2023-07-26 18:05:46
TLS used to also guarantee that you were talking to the correct entity, that's what EV certificates are for. So there was a verification step that ensured that you were indeed the business/organization you were claiming to be.

The EV certs still exists, but the browsers don't really differenciate between DV and EV certs anymore.

replies(1): >>lxgr+b1
2. lxgr+b1[view] [source] 2023-07-26 18:09:58
>>roblab+(OP)
Ah, yes, in that sense I can see the parallel (in that being reachable in modern browsers is contingent on being able to obtain a TLS certificate). I remember similar concerns being raised about browsers discouraging HTTP.

But TLS certificates solve a much narrower problem than WEI ("are you communicating with the site you think you are") and are widely and cheaply available from multiple organizationally independent certificate authorities.

In particular, TLS certificates don't try to make an assertion about the website visited, i.e. "this site is operated by honest people, not scammers". WEI does, with the assertion being something like "this browser will not allow injecting scripts or blocking elements".

[go to top]