I've been around long enough to remember when getting a website was really expensive. Like hundreds of thousands of $.
TLS was expensive. And insanely profitable. The sale of Thwate to Verisign was north of 600 million. (Back when 600 million was "a lot"). Since the marginal cost of making a cert is zero it was a literal cash machine.
LE broke that cash flow. CAs tried to claim their certificates were "safer" or the EV certs had any value at all. All nonsense, but for a while some layer of IT folk bought into that. Even today some of my clients believe that paid-for-certs are somehow different to free-certs. But that gravy train is rapidly ending.
So yeah, once the fixed costs overwhelm the income expect to see more shutdowns. And naturally the small CAs will die first.
I have been helping individuals and small businesses set up websites since the 90s. At no point in time getting a website cost "hundreds of thousands of $"
Hundreds? Sure. Thousands? maybe, if you wanted a rare/expensive domain name. But hundreds of thousands? No way
I remember many moons ago, like the Netscape era, when companies that paid for EV certs got special icons and a green address and all sorts of browser indications of trustworthiness.
I just tried my (large, international) bank website in the latest Safari, and I can't even figure out how to view the cert. There's an assumption that every site will have some cert, but no special treatment for EV certs at all.
In Chrome you can click on the icon next to the address and then on security, it will show the name of the company the cert is issued to. Quite hidden though.
But yeah, Safari is always something i have trouble finding the cert, they are really hiding it.
EV certs show the company name and the country, for disambiguation, on the assumption that you cannot have two companies of the same name in the same country. However, this is not true in the USA, where names are unique only within each state.
That's how someone got an EV cert for Stripe (USA).
That’s true. It’s a bit of a self fulfilling prophesy: the browsers didn’t present a meaningful verification UI, then removed the UI because users didn’t find it meaningful.
Steak isn’t delicious because, after I pee on it, people dislike the taste.
The concept of matching an real world identity to a public key is very much intact outside the browser world.
Browsers did display EV certs in very significant ways in the 2010s with green address bars. Safari even hid the URL and only displayed the certificate owner name.
Whether the CA verifies identity or not is irrelevant. Since the end user does not see the certificate they are all functionally equivalent.
And yes, the actual quality of the identity check is debatable but since nobody cares the utility of it is zero.
For example- when was the last time you checked the certificate details of a web site? Have you ever left a site because you felt the certificate didn't verify identity?
TLS was expensive. And insanely profitable. The sale of Thwate to Verisign was north of 600 million. (Back when 600 million was "a lot"). Since the marginal cost of making a cert is zero it was a literal cash machine.
LE broke that cash flow. CAs tried to claim their certificates were "safer" or the EV certs had any value at all. All nonsense, but for a while some layer of IT folk bought into that. Even today some of my clients believe that paid-for-certs are somehow different to free-certs. But that gravy train is rapidly ending.
So yeah, once the fixed costs overwhelm the income expect to see more shutdowns. And naturally the small CAs will die first.
I can't say I'll mourn any of them.