I assume they mean Extended Validation?

Basically the only difference is that it gets you a green badge in the URL bar with the name of your business: https://i.stack.imgur.com/xmMnB.png

In practice, very few sites actually need EV. Domain validation is usually enough. (Troy Hunt wrote a pretty good article on this a while back: https://www.troyhunt.com/on-the-perceived-value-ev-certs-cas...)

Interestingly, apparently Twitter has switched to EV since that article was published. Not sure if any of the other big10 have also.

I'm not sure if this is still the case, but for some time, Twitter served both EV and non-EV certificates depending on where the visitor was located. I don't think they ever publicly explained this behaviour.

Which, of course, is the worst way to use EV, because it makes both users who expect EV and notice when it's missing worried.

> Because my business/personal information would be associated with the certificate or something?

Exactly. EV certs are tied to a business, and said business' identity is verified in the process. Where for a domain validated (DV) cert the CA only verifies that you control the domain/the server it is pointing to, an EV cert also has the business name (and browsers generally show that). If you own ringaround.com, I can register ringaround.io and get a cert for that and try to impersonate your website to users, but I'll have a harder time getting an EV cert for ringaround Ltd.

The limitation of course it that this requires users to actually check/notice the cert isn't an EV one, which is why the usefulness of EV is questioned.

Actually, only a slightly harder time. If the company hasn't already locked down all the TLD's for their given name, then it's probably a piece of cake to register that company name in some locale and then get the EV for it. (I've done the EV verifications, and they're not really that challenging; and how could they be, since they have to validate companies all over the world, with varying amounts of paperwork, etc.) Keep in mind that companies in the United States are registered (generally with the Secretary of State) in their state, so now you've got fifty different ways of verifying just U.S. companies. Someone registered ringaround, Ltd in California already? Just register it in Nevada, or Florida, or Delaware, or.. you get the picture. Many of these can be registered in about fifteen minutes with a credit card.

But not to pick on the U.S.. if you're from outside the country, the U.S. is actually a pretty nice place to base your company. But, if you were the EV company, how would you verify a company in Nevis or Timbuktu? How will you REALLY know if that company is even legit or if the company just hands out "Corp" or "Ltd" or "IBC" to anyone who pays $50 on a credit card?

EV isn't quite a joke, but it's not really as useful as the companies pushing it make it out to be.

In principle CAs aren't supposed to hand out EV certificates without a way to actually make sure the Subject entity exists. It's common for EV to only be available for certain countries, because you're right that it's not obvious how to check that the government of Mali really authorised you to operate a company named "Ringaround, Ltd" in Timbuktu (a city in their country).

The basics are First there needs to be some sort of government agency that can say authoritatively which companies exist in their country, and either give a date when they were created or a "serial number" in some sort of register - preferably via a secure online API. Second the country must have some reliable "business directory" or similar that lists authoritative contact details for that type of business. For example Dun & Bradstreet. This is to be used to phone the business up and ask to talk to someone about this certificate they supposedly want issued.

However you're quite right that places like Delaware or the United Kingdom, despite having a reputation as perfectly law-abiding places actually have very lax regulation for starting dodgy companies; the only reason scammers aren't buying EV certificates for dodgy company names in those places is that it doesn't matter. The day we make ordinary users demand an EV certificate to trust they're really dealing with "PayPal" is the same day scammers will start brass plate companies in London or Delaware named "Pay A Friend, Incorporated" or "My Pal, Ltd" or "PP Internet Payments" or whatever. Fools will still get separated from their money. No technical fix (and EV is a technical fix) can prevent that.