@hlindqvist : the most important problem by far is that browser users do not know who is responsible for a website with a given domain name. This enormously exacerbates the phishing problem.
The main reason why I mention the mis-issued certs is that Google et al. kept complaining about mis-issued OV and EV certs, and insisted that QWAC's would be mis-issued to governments for spying purposes; DV-certs would be safe.
Google is now even destroying Entrust because of mis-issuance (https://security.googleblog.com/2024/06/sustaining-digital-certificate-security.html - not that I have any opinion about Entrust, but GTS = Google "Trust" services issues certs to cybercriminals all the time).
Apparently there are no penalties for mis-issuing DV certs, or issuing them to cybercriminals - in particular when they use domain names clearly intended for phishing purposes. That *could* be a legitimate choice, but then users should be made aware what type of cert a website uses, in order to have necessarily trustworthy websites return to using more trustworthy certificates.
We are being lied to that DV-certs are fine. They are not. Not only because the domain owner is anonymous and users see no difference between websites with DV vs more usable certs, but now there's plenty of proof that DV certs get mis-issued as well.
A DV cert may be fine for your home NAS, but as long as people cannot distinguish between websites with untrustworthy versus more trustworthy certs, cybercrime will continue to flourish - and probably become an even bigger problem.
On this insanely insecure internet, the EU wants their citizens to start using EDIW's (European Digital Identity Wallet).
It's primarily in your own interest if websites that demand that you authenticate using EDIW *are" trustworthy. If you have no way to know, they may AitM you to authenticate *them* as *you* on some other website. They'll be able to get credit cards registered on *your* name (highly trustworthy because of EDIW), but THEY will be draining that credit card. Good luck with proving "it wasn't me".
Three important facts that are often overlooked:
1) The easier impersonation is, the less reliable authentication is.
2) Authentication mandates that BOTH parties are reliable.
3) It is extremely hard, if not impossible, to overestimate the risks of AitM attacks.