I live in the UK and with our internet laws here becoming more and more strict over the last few (and coming) years, I wanted an alternative to Google or Bing who both actively cooperate with the governments existing proclivity to censor things like Porn.

Bing's video search for pornography is absolutely fantastic, it's legitimately the one thing I use Bing for.

The power dynamics are significantly different though, I don't feel at all in danger, I'm a 6'2 man who lifts weights in his spare time, so it's more of an annoyance than anything truly worrying. I understand that this person may go on to harass the next person who fills my role, but I simply have too much personally riding on the outcome of the present to leverage it in that way.

I'd certainly be pretty worried if someone in a position of power over me was doing anything of the sort. Even if you don't have to worry about the individual literally overpowering you (Which in itself would be a tough thing to prove you were not the aggressor if you are a muscular 6+ footer and had to push off an aggressive advance)

* Boohoo

* Pretty Little Thing

* Missguided

* Marks & Spencers (non-food)

* House of Fraser (under 20Kg)

* Debenhams

Outside of these, with "Collect Plus" now being next-to ubiquitous in the UK (over 6,000 participating stores) any store using Collect Plus (or DPDs Ship-to-shop) can offer free returns via the stores. As an example of how useful this is in general, the tiny corner shop on my street is a Collect Plus collection point.

They even have places to try on clothes, and packaging materials there, so you can return the items without ever taking them home.

Unfortunately they are quite expensive from a retailers perspective, or roughly equivalent to a Prime membership if the user subscribes directly (so they can use it with all online stores).

The persisting idea that this was to protect children is such a lie, this was absolutely to protect Youtube from the backlash they've been receiving from advertisers who don't want their advert for toothpaste showing up next to a video discussing the best uses for anal beads or any US political opinion which doesn't firmly conform to being hard left (before I'm down-voted for saying that, as a British leftist, my personal brand of over-the-top semi-communism would make even the left-est of Americans feel a bit sick).

"It’s tried to enlist users to flag problem videos, and that backfired when trolls heard about the plan." - This is discussing how Youtube wanted to give users the ability to mass-flag groups of videos, as in flag multiple videos at once instead of individually. Trolls? This only effects content creators.

"But despite YouTube’s efforts, it didn’t notice YouTube megastar PewDiePie going rogue." - Almost straight away after the story broke, they canceled Felix's "Scare Pewdiepie" Youtube series contract before he had even had a chance to publicly respond to the (frankly ridiculous) claims that he was a Nazi sympathiser.

My grandma still uses browser bookmarks, but I have no none-anecdotal source for this.

BoA could absolutely do all the things you just mentioned, but all of them are more difficult than simply replacing their certificate using Comodo or some other trusted root CA.

[1] https://w3techs.com/technologies/details/ce-hsts/all/all

[2] https://community.qualys.com/thread/15972

That depends on the design of the site and their business policies. I agree though - for any sensible organization switching certs is going to be easier. But if that was really the case here, why were they asking Symantec for special favours?

I imagine that there will be a lot of angry customers asking for refunds from Symantec/Verisign for certificates already issued which no longer conform to the offered product.

ie.

    https://paypal.com-customerservice.ru

    PayPal Inc [US] | https://paypal.com

Here is a DV cert:

    openssl x509 -in domain-validated-example.com.crt -noout -text | grep Subject
     OU=Domain Control Validated
     CN=example.com
     DNS:example.com

    openssl x509 -in extended-validated-example.com.crt -noout -text | grep Subject:
       jurisdictionOfIncorporationCountryName=GB
       businessCategory=Private Organization
       serialNumber=09378892
       C=GB
       ST=City of London
       L=London
       O=example Limited
       CN=example.com
       DNS:example.com -

See also the Nordea section at https://hsivonen.fi/bank-idp/ . How is a user supposed to form a mental model about multi-server org who don't use EV consistently?

There's no simple, single answer here: you can stop validation downgrades is pinning to EV roots but browser UI is also a huge part: mobile Safari, for example, simply uses the validated legal entity as the address and keeps it on screen during the entire session (even when you scroll). Visit https://stripe.com on mobile Safari and you'll see

> _______________Stripe Inc.______________

...persistently on top of the screen throughout the entire session [1]. Other browsers don't show validated identity as effectively though.

[1] Safari should also add a country indicator to distinguish other validated legal entities called 'Stripe, Inc.' in different jurisdictions.

But that overlay just before I started reading your landing text is a serious mood-killer. I'm not going to set-up a remainder for when my certificate expires before I read your page.

There's cheaper options around, but we only do EV and we're the best at it.

What makes an EV cert an EV cert is that it contains a Certificate Policies extension. (There are also requirements for the EV to have certain things in the Subject; I'm only saying that they're not necessarily forbidden from the Subject in the DV case.)

That said, many CAs like to overwrite whatever subject you give them with stuff like what's in your example. But you can find examples on the Internet where this doesn't hold, and the Subject contains useful information (e.g., Wikipedia, Let's Encrypt, Google).

One of the things I wish that x.509 was would be that certificates could have been simply a signed (CSR + additional data from CA); since CSRs are themselves signed, this would have prevented the CA from being able to change the CSR after it's submission; that is, the process of submitting the CSR would give the CA two options: append information and sign, or not sign. As it is, their first option is "rewrite the cert however we like and sign"

It doesn't matter so much for the Subject, but CAs will also do things like take a requested extension that has the critical bit set in the CSR, and mark it as non-critical in the certificate. (or even flat out drop the extension) A dev who blindly assumes that the CA will either do as asked, or refuse with a reason then runs the risk of putting a certificate that was really ever requested into production.

(One, I suppose, could assert that allowing free-form Subjects might cause a CA to sign a cert whose Subject is lying or misleading, which could be bad if the reader thinks the signature implies validation of that data.)

> If the Subject Identity Information is to include the name or address of an organization, the CA SHALL verify the identity and address of the organization and that the address is the Applicant’s address of existence or operation.

The green bar with our company name in it translated in to a measurable conversion increase week for week from guest checkouts, so saying it's a waste of money isn't strictly true in our case.

They don't improve security -- that is true.

That's a bit hard to reconcile with the fact that Amazon.com can't be bothered to get one.

Non-household name eCommerce sites benefit significantly from quality signals like the EV bar, however.

If we'd asked in 2015, Symantec would probably have pointed us to CrossCert's CPS which said they only use certain Symantec roots. In fact Symantec had no mechanism in place enforcing that, CrossCert could and did issue from any Symantec root, whether it was on the list or not. So, if you chose a root thinking "I don't trust CrossCert, but they don't use this root so it's fine", oops, too bad.

The HTML hidden in that mountain of div tags is remarkably well formed for the standard I see around on the "modern web".

Would you be able to add some other examples such as interfacing with a database or making remote network requests over http?

go get github.com/blackss2/utility/convert * don't use for production

In my opinion, saying that if Germany were standalone they would have a stronger currency is the same as saying "If California were standalone they would have a stronger currency".

The US has its Mississippi, Europe has its Greece.