|
"If he had been, and had used that EV cert to phish Stripe customers, he'd have been reported to the police using the details from the CA and possibly prosecuted. Bear in mind he had to register a company in the USA, not Kazakhstan." Are you _from_ the USA? Or do you believe its propaganda from outside? You don't need to even be able to point to the USA on a map to set up a US company and do all this paperwork. You fill out a few forms on a web page, pay a little bit of money, American lawyers sort everything else out. They keep some of the money, the State keeps the rest, everybody is happy. Oh, except your victims. They can call the cops of course, but the State obeyed the law, and the Lawyer just does paperwork. It's not a crime to be the lawyer for a crook. Why don't crooks do this today? Well, there are two answers. For big crimes, stuff like crooked property deals, they absolutely do this already, it's completely routine. For a phishing site they don't bother because it's not necessary. If 90% of visitors to your unsecured http://paypal-credit-checking.example/ fill out the form, and you get that up to 99% by obtaining a DV certificate for it, why spend $500 setting up a US corporation for the extra one percent? But if you persuade everybody EV is great, then sure, that's what they'll do next. |
It also wouldn't scale, domains get blacklisted within minutes or hours, getting an EV cert takes longer than that.