I doubt it. CAs still have EV, wildcard, email, and code signing certificates that are often twice as expensive (or more) than their DV offerings. And some people will choose to pay for a DV cert just so they don't have to swap them out every 3 months anyway.
EV can die a fiery death. It is bullshit. I don't see a reason why LE can't issue wildcards in the future, though with their current setup they are even less important. Email certificates can be issued by LE as well. Code signing is the only one I see as problematic.
In either case, I suspect that LE will take a huge bite out of CA's bottom lines, since there are a lot more DV certs out there than EV ones.
Honest question: why is EV bullshit? It's easier for my mom to check for a green bar saying "Bank of America" than to understand the difference between bankofamerica.com and bankofamerica-onlinebanking491.com. EV may not be bulletproof, but it potentially makes some rather popular attacks way harder to execute at scale.
Well, for one because EV certs are ridiculously overpriced. Also, EV once again just guarantees that someone somewhere has a credit card and some papers they filed. Can I start a "Bang of America" and get an EV cert for that? Sure I can! (Don't google that).
Another example of where I think it's confusing is when EV actually uses the company name. Go to https://lastpass.com/ and take a look at their EV green bar. It says "LogMeIn, Inc [US]" and before it said "Marvasol". Neither of them says "LastPass" which is what I actually want to know. If the company name behind your product is not as widely known as your product, oops, you just scared your customer.
Basically, it's a hard problem: you are asking CA's to make the distinction between names that may be similar, and therefore used for fraud, vs distinct and used for legitimate purposes.
If you think EV certs are over-priced, then there's a big market opportunity waiting for you: just make a CA that sells them cheaper!
In practice, you probably won't do that, because if you look into the various costs EV CAs have, you'll find that the cost of what they're doing is actually non-trivial and it's not exactly a license to print money. Add up the costs of the company, the audits, the hardware to protect the keys, the humans to perform the manual verifications of the cert requests, the OCSP servers, the software dev costs etc ... it's not zero.
With respect to phishing, yes, you could get "Bang of America" (possibly), but this comes with two MASSIVE caveats:
• You cannot do so anonymously, or at least it's very difficult to do so.
• You cannot get something like "Bank of America System Network" because the CAs have procedures in place to stop that sort of thing ... like human review.
In practice, phishing sites based on similar looking letters were a thing decades ago but haven't been so for a long time, partly because there's only a tiny number of such combinations and the legit companies normally own them all. My experience of phishing sites from a few years ago was that they either used misleading DNS names like "www.bankofamerica.com.net.cdn.co.cn" which exploit the fact that people stop reading at ".com", or just didn't care at all and used phishing sites hosted on hacked web servers, which exploit the fact that a lot of people don't ever look at the URL bar at all.
EV is a key step towards fixing both problems, by giving people sensible human meaningful identifiers that are read left to right instead of right to left, and by providing a friendly name that could (in a smart browser) replace the junk in the URL bar entirely. If most sites used EV certs there's a chance users would actually start reading the URL bar again, and then they'd know where they are online.
I agree that companies whose primary web identities don't match their legal identities are an issue for EV certs, although arguably that problem will confuse users sooner or later anyway (e.g. if they need to send/receive money from that company). Better to have the names synced.
Yeah, wildcards are a necessity when every certificate is difficult to obtain, but LE really means we hit post-scarcity and certificates can be issued on the fly for new domains and subdomains.
To an extent - LE still has rate limits for the number of certificates issued to a second level domain (5 in 7 days currently), so if you have many subdomains it could conceivably become unmanageable to keep them all updated.
EV is what CA's was supposed to do but initially never did; a trusted third-party validation that checks if a online identity really match the real world identity. Its similar to PGP key-signing, but on a government/industry level.
The question I wonder is if CA's can actually survive on only doing their intended job, and if the green bar can sustain enough trust to be worth paying for.
