[oneeyedpigeon]

I think microsoft.scamsite.com would fool most of the people that scamsite.com/microsoft would. It's a very difficult problem. Can't we have something like certificates for domains, so we can at least trust the most potentially vulnerable cases?

[judge2020]

If EV certificates were good they'd be great for showing alongside the URL, but they're both expensive for most (used to be $100/yr if you go for the cheapest vendor, now heavily discounted since the URL bar change made it lose value) and the legal entity verification doesn't work in a sense that company names aren't unique[0].

0: https://news.ycombinator.com/item?id=15904513

[tialaramex]

They (EV certificates) also don't do as much as you probably think they do. Or, I suppose, seen from a different angle, the actual dnsName matching does a lot more than you realise.

When you visit news.ycombinator.com obviously the browser confirms that the certificate presented is for news.ycombinator.com and not anything else. Because the machine does dnsName matches and machines are fast, it happens prior to every single transaction as necessary. In contrast EV information like company name can only be checked by a human, slowly, after a transaction already completed.

Suppose I hit this "reply" button to post this, but bad guys have just at that moment intercepted my network connection. The browser connects to news.ycombinator.com and... their certificate either isn't trustworthy or isn't for news.ycombinator.com and so this text is never sent to the bad guys at all.

But EV certificate details are only useful retrospectively. The browser can tell me after the fact that it posted the response to "Phishing Corp. Ha Ha Ha We've Got Your Data Now" but it doesn't actually know that's the wrong place so it won't abort the transaction.

For this and other reasons the entire EV design doesn't really "work" from a security point of view, and wasn't ever really intended to. It's a marketing idea, not a security idea.

[ColonelPhantom]

Firefox's approach actually doesn't have this issue, it highlights only the actual domain. So for microsoft.scamsite.com, scamsite.com would be highlighted, and the rest in a darker gray.

[UncleMeat]

One could hide the subdomain too (yes, I know there are cases where you have a different trust relationship depending on subdomain - but these are rare).