Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This absolutely IS a reason to distrust a website claiming to be owned by a bank (or any other institution working with such sensitive assets). To be precise, such a website absolutely needs to have a certificate granted not only on the basis of "yes, I control the machine this domain points to" (which is what Let's Encrypt does), but also based on other, more physical and reliable means.


You're talking about EV certificates. They're dead.[0]

I personally would trust something signed by Lets Encrypt more readily than many other certificate providers. They appear to know what they are doing.

[0] https://www.troyhunt.com/extended-validation-certificates-ar...


The only thing other CAs do (after EV certificates stopped being a thing, as a sibling commenter already mentioned) is to take more money from you than Letsencrypt, in exchange for longer validities and historically some other concessions (although the browser forum has been clamping down on that, for good reasons).

In other words, if the bank is following best security practices, they're fine with Letsencrypt; if they don't, they might need somebody else.


My bank don't have an EV, they have just a plan Amazon cert.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: