[SifJar]

I think the justification is that some people will think the website is legitimate if a legit hostname appears anywhere in the URL e.g.

http://scamsite.com/microsoft.com/phish

"looks" legit because it contains the string "microsoft.com" (and most "regular" users won't appreciate the different parts of a URL); under the new scheme, that would display only as "scamsite.com" and hopefully people are less likely to enter their microsoft username/password if "microsoft.com" doesn't appear anywhere in the address bar.

I'm not overly convinced of this personally, but I think that's the supposed idea behind it.

[oneeyedpigeon]

I think microsoft.scamsite.com would fool most of the people that scamsite.com/microsoft would. It's a very difficult problem. Can't we have something like certificates for domains, so we can at least trust the most potentially vulnerable cases?

[judge2020]

If EV certificates were good they'd be great for showing alongside the URL, but they're both expensive for most (used to be $100/yr if you go for the cheapest vendor, now heavily discounted since the URL bar change made it lose value) and the legal entity verification doesn't work in a sense that company names aren't unique[0].

0: https://news.ycombinator.com/item?id=15904513

[tialaramex]

They (EV certificates) also don't do as much as you probably think they do. Or, I suppose, seen from a different angle, the actual dnsName matching does a lot more than you realise.

When you visit news.ycombinator.com obviously the browser confirms that the certificate presented is for news.ycombinator.com and not anything else. Because the machine does dnsName matches and machines are fast, it happens prior to every single transaction as necessary. In contrast EV information like company name can only be checked by a human, slowly, after a transaction already completed.

Suppose I hit this "reply" button to post this, but bad guys have just at that moment intercepted my network connection. The browser connects to news.ycombinator.com and... their certificate either isn't trustworthy or isn't for news.ycombinator.com and so this text is never sent to the bad guys at all.

But EV certificate details are only useful retrospectively. The browser can tell me after the fact that it posted the response to "Phishing Corp. Ha Ha Ha We've Got Your Data Now" but it doesn't actually know that's the wrong place so it won't abort the transaction.

For this and other reasons the entire EV design doesn't really "work" from a security point of view, and wasn't ever really intended to. It's a marketing idea, not a security idea.

[ColonelPhantom]

Firefox's approach actually doesn't have this issue, it highlights only the actual domain. So for microsoft.scamsite.com, scamsite.com would be highlighted, and the rest in a darker gray.

[UncleMeat]

One could hide the subdomain too (yes, I know there are cases where you have a different trust relationship depending on subdomain - but these are rare).

[IshKebab]

In my experience companies are pretty bad at always using their own domain even for legitimate things. I suspect it is because getting IT to do something like setting up a subdomain in any company I've worked in is virtually impossible, whereas buying a new domain is easy.

So I think most users wouldn't think something like `microsoft-it-support.com` would be suspicious.

[donmcronald]

This is a huge problem in government from what I've seen. In Canada, every province code has a longstanding two character .ca domain I think they all have a 'gov' 3rd level domain. For example, in Saskatchewan we have gov.sk.ca. However, instead of using that namespace, some departments go and register domains that look like phishing URLs. How about ehealthsask.ca for everyone in Saskatchewan to access digital health records instead of ehealth.gov.sk.ca? Yep, that's a thing.

It's pure idiocy. Instead of teaching the public that *.gov.sk.ca is a trustworthy, government run namespace everyone has their own domains and the general public is left to guess what's legitimate and what's phishing. Good luck with that.

And they all buy overpriced SSL certificates.

[tialaramex]

Yeah, this is very annoying. It's not every company, but it's enough different companies to be a problem.

PayPal (a company that more or less constantly moans about phishing) operated www.paypal-special.com which is a tremendously phishy-looking name, but it was a real PayPal site until they shut it down.

One nice side effect of WebAuthn binding credentials to a dnsName is that you can't change domain names without trashing all the credentials. It's mechanically impossible. So when yet another marketing genius wants customers to go to some-daft-marketing-idea.example instead of your-actual-website.example they can put fluff on that site if they want, but any sign-in or other credentials stuff will need to happen on your-actual-website.example anyway.