[AnthonyMouse]

As far as I can tell EV certificates are completely worthless.

You know the TLS certificate you got from bankofamerica.com is legitimately from bankofamerica.com because of domain validation. What EV tells you on top of that is only that bankofamerica.com belongs to Bank of America Corporation. But you already have that information. Their website is written on the walls of all their bank branches and all the documents they've ever given you. You don't need a CA to verify that because you can trivially do it your own self. And the same is true for any person you actually know. You know their domain belongs to them because it's the domain they personally told you belongs to them.

So that leaves domains belonging to entities you've never otherwise encountered outside of their internet site. You may have never been to a Google office before. But if you've never encountered the entity outside of its internet site then the association is meaningless. What am I supposed to know of Google other than google.com?

[technion]

There's also the fact that obtaining an EV certificate is so unbelievably painful. I swear it gets more difficult every year.

Last time I bought an EV cert, Comodo wanted a certification from a Chartered Accountant. Aside from the confusion associated with Comodo wanting a letter "your CA", we then had them Google for "accountants in Sydney" and complain they weren't listed on the front page.

"Kindly address the search page to show them on the page in order for us to process the order".

It took hours of complaints and escalations before they agreed to proceed, at which point they wanted to call the company's "public" phone number. Now they could have gone to the company's website, or the White Pages, but no, they found some .ru website with an "accountant review" and called the number listed there. Instead of asking what official phone listings Australians use, the only thing they would accept is "kindly update the website".

Yes, this is probably one of the more incredible examples, but the point is, who wants to risk even possibly dealing with this, when you can have a DV certificate in two minutes and it "just works"?

[HiYaBarbie]

Wow, that's just absurd.

[MichaelGG]

The benefit is that if I get BankOfAmericaa.com and try to get an EV cert, the CA is going to verify my actual company name, which will unlikely be Bank of America or anything similar. So now when I trick someone into visiting my site, if the EV area doesn't tell them "Bank of America [US]" then they should double check. Or flip it around - if a user is unsure they can go off the EV info instead of the domain name.

In practise, since EV certs aren't used all over (say, WellsFargo doesn't use them), then the value is fairly diminished since lack of EV doesn't mean much.

[AnthonyMouse]

> The benefit is that if I get BankOfAmericaa.com and try to get an EV cert, the CA is going to verify my actual company name, which will unlikely be Bank of America or anything similar.

So the first question is, why not? Can't someone file papers for a shell corporation with whatever name they like? Of course "Bank of Americaa Corp" is likely to raise questions, but is it not possible to BS your way through an EV cert claiming to be "Bunk of America Corp", retailer of bunk beds, or "Bank on America Corp", domestic lobby group?

Going through the process is obviously a huge pain for the attacker, but it's a huge pain for a legitimate business too. If the purpose is to make the process expensive then you might as well dispense with the charade and just say "pay us $20,000 and we'll give you a shiny green bar".

And the attacker still has a problem. Everything you know about Bank of America says their website is bankofamerica.com, not bankofamericaa.com. The difference is right there on the user's screen if they're looking for it. And if they're not looking for it then what difference is a green bar? Especially if all we tell them is "make sure it's green" and not "make sure it doesn't say Back of America Corp".

[realityking]

Part of the label is also the country, if it says "Bank of America [AZ]" your alarms bells should start ringing.

[AnthonyMouse]

If it says "bankofamericaa.com" your alarm bells should start ringing. Even assuming the attacker can't get a certificate for the right country, how is the user expected to notice (and understand) the wrong country code if they can't notice the wrong domain name?

[realityking]

I'd argue it's at least simpler to notice since it's more readable - it has spaces between words.

[AnthonyMouse]

Notice that by this point the claimed benefit of the EV cert has lost all connection to the validation process and is now solely an artifact of the impermissibility of spaces in host names.

[viraptor]

There's one difference (I don't think it really matters though) - if you go to bankofarnerica.com and get a valid certificate for bankofarnerica.com, if would not be owned by "Bank of America Corporation". But I agree it's worthless because it relies on you remembering that bankofamerica.com has an EV cert normally. And people are terrible at noticing what's missing.