@ThatPrilla @Some_Emo_Chick But where I'm definitely out are site providers who, for whatever reason, think they have to break TLS connections using MITM, or use so-called service providers who do this. I don't enter anything there, no user, health, financial or other personal data!
The best, no, the worst example was this association from Munich, which on the one hand promoted free networks but on the other used Cloudflare as MITM.

2/3

@Dj4n90 @Some_Emo_Chick

A domain validation cert from lets encrypt and a domain validation cert from any other CA are functionally indistinguishable and provide the exact same level of assurance, which is only that the cert has been issued to someone who has access to that domain and that your connection to the thing presenting the cert is reasonably private/secure.

So unless you are only putting personal info into sites where you manually look for the OV or EV details to verify, you aren't making your self more secure.

But the other problem is that the extended validation process isn't reliable.

A few years back a researcher got an EV cert for "Stripe Inc" by registering a company with that name at the state level in the US and that was enough for a CA to issue him an extended validation cert. Cost him $177.00 to do that.

But even then, that is massive overkill for phishing now because browsers removed the UI elements that indicated a cert was an EV cert.

The simple fact truth is, as long as someone can complete a domain control challenge, any CA will issue them a cert without any further verification. Payment details aren't even reliable because stolen identities and payment information are everywhere.

If you are relying on a cert alone to protect you from fraud, you aren't really protecting yourself.