There's no reason EV policy can't be modified to also enforce uniqueness. In fact, that's what I'd expect if we're only giving EVs to household names.
Banks which have the same name as other banks should change their name, but we should tie EVs for banks to existing financial system institutions. For example, most banks in the US have an FDIC number, so our EV validators in the US can tie a bank to it's FDIC registration, and the user can cross-reference their bank with that as well. Basically if I'm a bank customer, I should have a unique identifier on my check or debit card which can be cross-referenced with the EV cert.
How do you decide which one needs to change its name? There's no objective measure for which is 'larger'.
The vast majority of consumers are not going to lookup an FDIC number, and even if they did, it is still not optimal since banks regularly merge which would cause confusion.
I don't think we really care, do we? I'm not really worried that I connected to First Bank rather than Second Bank, since both are legitimate banks; what I want is to ensure that I didn't accidentally connect to Second Bannk, the local fraud shop. "Is this site controlled by a FDIC-registered organization" is probably good enough™.
Why do EVs need to solve a problem that is already solved offline?
As you point out, there are plenty of real businesses with names similar to each other. And yet, they all manage to do business with their customers. How does it work? Because customers use more than just a name to recognize a business.
IMO this is a good example of how the goalposts have been moved on EV certs over time. They were never intended to solve name uniqueness globally, so IMO it’s silly to complain that they don’t.
Why don’t we include, in the EV cert, enough info to uniquely identify a business? E.g. the jurisdiction of business registration + the business registration number?
When issuing the EV cert, they don't actually validate any of that so it is of questionable utility.
I was surprised how easy it was to get an EV cert. The validators work from an offshore call-center and use sites like whitepages.com to lookup the business. They then call the number listed (you could have updated the listing just before). When they call you simply have to say "I am ... and my position is X at Y company. Then hand the phone to someone else who says something similar". There was no individual identity verification.
Then the problem isn’t really with the EV cert itself, no?
What if browsers were designed such that for each website, over HTTPS or not, the first X times you visit it, the browser forces you to review the relevant WHOIS and/or certificate info in a modal? And also force you to review the certificate if the certificate has been renewed/replaced?
Who are these hypothetical users who are going to conduct a thorough review of Whois/cert data the first $n times they go to a site?
I’m a security-conscious, technically savvy user of the internet, and I’m neither convinced I would put up with this for more than a day before disabling it or that it would improve my security if I were to try. I’m pretty confident my eyes would just start glazing over the 5th time I scrolled through cert metadata.
My hypothesis is that users just need to have an in-your-face reminder that they are venturing into uncharted territory whenever an unseen domain and/or certificate comes up. The "X" in my "first X times" could be as low as 1.
You also don't need to show all cert metadata; just enough to be meaningful to the user. I believe that stuff like certificate signature, public key, and hash don't need to be shown to the user in such a modal dialog; they could be automatically checked against certificate transparency logs.
What you want to show to the user in such as modal is stuff like:
- entity name
- business registration jurisdiction
- business registration number
That's the kind of info that the CA ought to validate diligently. That's also the kind of info that people use to validate the identity of businesses in the physical world.
The modal should also have clear wordings in big letters of what a certificate actually means, namely, that the communication with the server is safe against eavesdropping and forgery, but that it's the user's responsibility to make sure the server is not an imposter - e.g. similar name or same name but registered in a different jurisdiction than the legitimate entity.
It's a lot about education, awareness, and timely reminders.
The alternative, which is to hide any indication of EV from the user, seems to be throwing up our hands and just assume users are always dumb and lazy. In that case, why bother with, not just EV, but any certificate at all?
Do you look at the business license of every store you walk into? Probably not.
But you have a latent expectation that the store is known to local authorities, who will be able to investigate a crime if that business commits one.
The information in an EV is not for consumer inspection up front, it is a paper trail for investigations to follow after the fact. The optional provision of this paper trail is a signifier to the consumer that this business intends to operate responsibly. Just like going through the trouble of setting up a store front is more trustworthy than pulling a truck full of inventory up to the curb.
What browsers could do better is leverage the EV info for consumers. For example, show a "report a problem with this business" button that connects the consumer with the relevant authorities and/or Better Business Bureau in the locality where that company operates. The EV supplies the legal company name and its locality of origin.
Banks which have the same name as other banks should change their name, but we should tie EVs for banks to existing financial system institutions. For example, most banks in the US have an FDIC number, so our EV validators in the US can tie a bank to it's FDIC registration, and the user can cross-reference their bank with that as well. Basically if I'm a bank customer, I should have a unique identifier on my check or debit card which can be cross-referenced with the EV cert.