[KingMachiavelli]

Isn't the main issue that TLDs are a poor way of establishing trust?

Otherwiae does every company and government need to get specialized TLDs to prevent impersonation? Even then it only works is users know and always notice the domain.

EV certs are dead for good reason but nothing seems to have replaced them.

I guess the only option is to verify each site once and then bookmark it and always make sure it's https. But on the first visit, how do I know chase.com is Chase Bank?

[frei]

Well the back of my Chase card says chase.com.

If you tend to use search engines to find websites, you are trusting the search engine to give you the website for Chase Bank.

[why_only_15]

I feel like google is less likely to give me something fraudulent than e.g. the risk of me misspelling chase or the like

[laken]

an attacker could purchase google ads for "chɑse.com" (note the unicode "s" instead of "s"

[knolax]

Isn't the homoglyph the IPA "ɑ" character used in place of Basic Latin "a"? The homoglyph URL attack also has some downsides because Unicode is only supported for domains through an extension system, most browsers will convert the above to "xn--chse-r5b.com" after you visit the link.

[why_only_15]

Seems unlikely google would let scammers with fake domains purchase ads, though maybe they have in the past.

[dredmorbius]

EV certs, for the curious, extended validation certificates:

https://en.wikipedia.org/wiki/Extended_Validation_Certificat...