|
|
|
|
|
|
by MichaelGG
3935 days ago
|
|
|
The benefit is that if I get BankOfAmericaa.com and try to get an EV cert, the CA is going to verify my actual company name, which will unlikely be Bank of America or anything similar. So now when I trick someone into visiting my site, if the EV area doesn't tell them "Bank of America [US]" then they should double check. Or flip it around - if a user is unsure they can go off the EV info instead of the domain name. In practise, since EV certs aren't used all over (say, WellsFargo doesn't use them), then the value is fairly diminished since lack of EV doesn't mean much. |
|
|
So the first question is, why not? Can't someone file papers for a shell corporation with whatever name they like? Of course "Bank of Americaa Corp" is likely to raise questions, but is it not possible to BS your way through an EV cert claiming to be "Bunk of America Corp", retailer of bunk beds, or "Bank on America Corp", domestic lobby group?
Going through the process is obviously a huge pain for the attacker, but it's a huge pain for a legitimate business too. If the purpose is to make the process expensive then you might as well dispense with the charade and just say "pay us $20,000 and we'll give you a shiny green bar".
And the attacker still has a problem. Everything you know about Bank of America says their website is bankofamerica.com, not bankofamericaa.com. The difference is right there on the user's screen if they're looking for it. And if they're not looking for it then what difference is a green bar? Especially if all we tell them is "make sure it's green" and not "make sure it doesn't say Back of America Corp".