The case of the “Intended Recipient”

One of the most harmful aspects of DV certificates is giving false sense of security to anyone entering their user names and passwords…the “Form Fields” on websites.

When someone enters their private information on a specific website, they think and intend only for that specific website to receive it.
The user thinks they are making sure only the website they think they are on will receive this private information.

Here is an example of a user who thinks this is PayPal’s website and enter their information because they see the “Secure” logo.

This is misleading, damaging and causing harm to consumers as the adoption of DV certs skyrocket. Look at the list of all these phishing sites with “Secure” trust indicators!

You will hear people say: Yeah but end user’s don’t care about these indicators, look at the research papers …(and they will produce research papers that they paid for!)….

My answer to them is: Then why have it? Remove it, your own paid research paper says no one cares, so remove it! You can’t have it both ways. You can’t say user’s don’t care but we will continue showing it to users knowing that it will cause harm to them.

Then they will say: Yeah but the information is protected from “eaves dropper”….

My answer to them is: in the case of username and passwords (or any other sensitive information) the most important thing is to make sure the intended recipient receives the information. Obviously in the above PayPal page, the recipient was worse than the eavesdropper, wasn’t it! DV does not provide that (apart from one small use case which is not material)

Do NOT show “Any Positive Indicator” for DV, especially on a page where user enters sensitive information. You are harming consumers! By all means continue enciphering the traffic, but stop harming the consumers by showing positive indicators for DV! This way you achieve the goal of protection from Transit provider without harming the consumers by giving them false sense of security like the above web page!

With the recent news from chrome saying that any website accepting user input (username, password or any other input) now must use a certificate and because overwhelming of these sites using DV certificates, this unfortunately will increase consumer harm drastically.