Let's Encrypt gives you a DV (domain validated) cert. That is good enough for most use cases, including amazon.com.
Most German banks for example use EV (extended Validation) certs, where the organization name appears in the browser's address bar. However, the benefit of EV certificates is debatable, since it's pretty easy to register a valid-sounding company under some jurisdiction or another.
Also, organization structure aren't transparent to everybody (how many of your non-tech friends would be surprised if google.com had a certificate issued for "Alphabet Inc."?).
> Also, organization structure aren't transparent to everybody (how many of your non-tech friends would be surprised if google.com had a certificate issued for "Alphabet Inc."?).
A clear example of this is KLM, where www.klm.com's certificate is registered to "KONINKLIJKE LUCHTVAART MAATSCHAPPIJ N.V." (try that on a mobile browser!). It's sufficiently different to what people expect (which is, admittedly, just an initialism) that I've known various people who actually understand EV certificates get thrown by it.
Amazon.com does not have DV cert, they have an OV cert. You can tell because the country, state, locality, and organization name fields have values. In a DV cert they are empty (since a DV cert does not verify those things).
Like a lot of big companies, Amazon has a cert from Digicert. To my knowledge, Digicert does not issue DV certs, only OV and EV.
That said, I agree that DV certs are good enough for production for most people.
Took this guy $177 to register a Delaware corporation called Stripe Inc and get Comodo to issue him an EV certificate that looks exactly like the real payment gateway. After Comodo revoked his cert, GoDaddy gave him one.
EV certificates tell you that a site is owned by a company with a particular name, not that it is the company you actually want. There's a reason browser vendors are de-emphasising EV: it isn't very useful.
From a technical standpoint it's no different than any other DV (domain validated) cert. If you're selling a LOT of stuff online and care about user interface, the $85/year that it costs to have an EV SSL cert may be worth it just for the "green bar" user interface change which seems to be reassuring to non-technical users.
They're used to seeing EV SSL type address bar when they sign in to their online banking and such.
Some people think that EV SSL is like $400, it's not, you really shouldn't be paying over $100/year. Still a racket in my opinion but not one that's easy to circumvent.
It's almost a false sense of "reassuring" as the users are blindly made to think it may be more trustworthy, in fact they don't know who did what to gain the (fake) trust.
I absolutely agree with you. It's an unfortunate case of having to deal with the perceptions of vast numbers of generally non-technical users, who have already been confused in the past by things like the GUI switch to Windows 10. When they sign in to Paypal they see the big green bar and are reassured.
You could totally register any random name like Really Legit Internet Enterprise LLC with some state government, put $100 in a bank account, scan the incorporation paperwork and get an EV SSL cert.
