Extended Uncertainty

I use myvidoop as my OpenID delegate. They used to have an EV certificate. Yesterday, they didn’t.

The EV security model is roughly that if you have previously seen a site using an EV certificate, as long as you continue to see it use an EV certificate, you can be pretty sure that a CA has done non-zero work to check that the domain belongs to the company named on the certificate.

Now, when a site used to have an EV certificate but no longer does, as a user, I’m supposed to assume that either of two things happened: A man-in-the-middle attacker has poisoned the DNS record and has acquired a zero-vetting certificate from a browser-accredited CA. Or the DNS isn’t poisoned but the site just opted not to pay a premium when it was the time to renew their certificate.

Aside: Firefox sent cookies set over EV https back over non-EV https.

The email reply I got from Vidoop is that this is a “hiccup” and that I can convince myself that my DNS is not poisoned by checking from multiple DNS servers.