The assumption underlying your position is (being generous) that the world is full of passive MITMs who can't also take part in the conversation
When I was in college I used to teach friends the importance of encryption by just showing them a live dump of packets on the dorm's LAN. You could see everything: here are the IMs coming to you and getting your away message as a reply, there's your computer refreshing the news site you were looking at a minute ago... it opened their eyes in a big way.
Encryption -- even without checking seventeen forms of government-issued ID from the person on the other end -- does in fact stop that passive surveillance, and like it or not that's a gigantic use case.
The realistic threat model for most people in terms of active MITM is something like their ISP trying to inject ads and tracking into what they browse, or their home router getting compromised. It takes very very little in terms of identity verification to shut that down; DV certs, which you can get by the truckload, for free, from Let's Encrypt -- will handle it just fine. Which means you don't need EV for that.
As to Snowden, I'm reminded of James Mickens' famous breakdown of threat models. All the Ultra-Verified Premium Secure XP+ Guaranteedâ„¢ certificates in the world ain't gonna help if a major government decides to come for you.
EV is snake oil. It literally does not solve any realistic problem the average person has when using the internet; all it does is line the pockets of the cert vendors. DV is the absolute most you need to shut down the things you can shut down, and encryption in general -- even without verification! -- is just fine, thanks. I know I might have a secure channel to Satan. I care about the "secure" part, not the "Satan" part.
Also, as I often do when faced with a true believer, I'll ask you: how many times have you initiated an SSH session with some host for the first time and just accepted past the initial warning? If encryption without rigorous verification is "objectively worse than no encryption at all", why didn't you just telnet instead?
When I was in college I used to teach friends the importance of encryption by just showing them a live dump of packets on the dorm's LAN. You could see everything: here are the IMs coming to you and getting your away message as a reply, there's your computer refreshing the news site you were looking at a minute ago... it opened their eyes in a big way.
Encryption -- even without checking seventeen forms of government-issued ID from the person on the other end -- does in fact stop that passive surveillance, and like it or not that's a gigantic use case.
The realistic threat model for most people in terms of active MITM is something like their ISP trying to inject ads and tracking into what they browse, or their home router getting compromised. It takes very very little in terms of identity verification to shut that down; DV certs, which you can get by the truckload, for free, from Let's Encrypt -- will handle it just fine. Which means you don't need EV for that.
As to Snowden, I'm reminded of James Mickens' famous breakdown of threat models. All the Ultra-Verified Premium Secure XP+ Guaranteedâ„¢ certificates in the world ain't gonna help if a major government decides to come for you.
EV is snake oil. It literally does not solve any realistic problem the average person has when using the internet; all it does is line the pockets of the cert vendors. DV is the absolute most you need to shut down the things you can shut down, and encryption in general -- even without verification! -- is just fine, thanks. I know I might have a secure channel to Satan. I care about the "secure" part, not the "Satan" part.
Also, as I often do when faced with a true believer, I'll ask you: how many times have you initiated an SSH session with some host for the first time and just accepted past the initial warning? If encryption without rigorous verification is "objectively worse than no encryption at all", why didn't you just telnet instead?