>There is no minimal to extensive checking. That is a scam.
You generally have to modify the root domain to host a random value in a text file the cert company gives you. This demonstrates that you have control of the domain.
Aka, minimal checking.
Granted, that doesn't prove that you're the domain owner, but if you aren't the domain owner and you've got enough access to pass that challenge, the real own has security problems a cert isn't going to fix so hey.
All things considered, it's a hell of a lot better than nothing.
I would argue strongly that such users do not have those abilities even with https. A valid cert is a valid cert. My supporting point would be the major browser vendors recent backpedal on throwing mixed-content errors, demonstrating that a smooth ride for the user is far more important than safety to them.
Actually I called shutterfly.com on the phone about that mixed content issue. I emailed them screenshots of the error from 6 different operating system and browser combinations, from 3 other users even. They claimed nothing was wrong. They were serving javascript via http on an https page and told me I was wrong and needed to update java, for weeks, on the phone, in chat, and in email, and declined to send the report to their webmaster. Even those wanting to be trusted are incapable of using these tools, from what I have seen. The whole thing is broken.
Cert companies only do a phone call check for the very expensive EV certs. There is no minimal to extensive checking. That is a scam.
Web tech is all https now. I can't even browse a lot of https sites with some of my older devices. There is a requirement and I dislike it.