|
|
|
|
|
|
by judge2020
2133 days ago
|
|
|
If EV certificates were good they'd be great for showing alongside the URL, but they're both expensive for most (used to be $100/yr if you go for the cheapest vendor, now heavily discounted since the URL bar change made it lose value) and the legal entity verification doesn't work in a sense that company names aren't unique[0]. 0: https://news.ycombinator.com/item?id=15904513 |
|
|
When you visit news.ycombinator.com obviously the browser confirms that the certificate presented is for news.ycombinator.com and not anything else. Because the machine does dnsName matches and machines are fast, it happens prior to every single transaction as necessary. In contrast EV information like company name can only be checked by a human, slowly, after a transaction already completed.
Suppose I hit this "reply" button to post this, but bad guys have just at that moment intercepted my network connection. The browser connects to news.ycombinator.com and... their certificate either isn't trustworthy or isn't for news.ycombinator.com and so this text is never sent to the bad guys at all.
But EV certificate details are only useful retrospectively. The browser can tell me after the fact that it posted the response to "Phishing Corp. Ha Ha Ha We've Got Your Data Now" but it doesn't actually know that's the wrong place so it won't abort the transaction.
For this and other reasons the entire EV design doesn't really "work" from a security point of view, and wasn't ever really intended to. It's a marketing idea, not a security idea.