[llvm-dev] Bugzilla invalid certificate issues
Stephen Checkoway via llvm-dev
llvm-dev at lists.llvm.org
Mon Feb 13 17:57:37 PST 2017
> On Feb 13, 2017, at 15:24, Chris Matthews <chris.matthews at apple.com> wrote:
> EV certs attempt validate the identity of the organization that holds them. That is a nice assurance to have from a place that makes the thing that compiles your code.
Although I appreciate that concern, downloads are currently available only via http (or via https with a TLS cert warning about invalid common name) so any improvement here would be good (as just happened with bugs.llvm.org)
As an aside, EV certs don't really offer a guarantee of identity validation (indeed EV certs have been misissued in the past ). They're really a form of Jackson's and Barth's "finer-grain origin"  which, as they point out, isn't respected by the browser's same origin policy. Although I'm not aware of any studies on this, I'd be shocked if even expert users noticed that a site moved from EV certs to DV certs. There's much more security to be had with HSTS.
More information about the llvm-dev