[tialaramex]

> Normal rules don’t apply when you’re a criminal so spoofing SSL cert names is something you might as well do too

SAN dnsNames in certificates in the Web PKI are verified by the issuer - these days using one of the Ten Blessed Methods. It would certainly be possible to obtain certificates for a name you don't actually own, but it's a bit beyond the usual casual crooks that run scams like this. We see what appear to be nation state adversaries doing it, as part of wider targetted hijack schemes (e.g. to intercept IMAP credentials for a foreign government agency) but it's definitely not something you see an ad scammer doing.

Any vaguely competent modern browser checks the certificate is trusted in the Web PKI and that it matches the SAN dnsNames to the FQDN in the URL exactly so there's no room for any funny business there.

And human readable names in end entity certificates are largely irrelevant. Nobody looks at them, who cares?

[hal9000-tng]

You are replying to a point that the GP didn't make. This was the precursor for the might-as-well-go-for-letsencrypt statement:

"What if they can register a very similar / regional domain that you didn’t set up already?"

In other words, they register fakebook.com and then just go get a TLS cert for it. If you're not looking carefully, you might not notice the difference.

Whether the CA system, with fungible, interchangeable certificates that can be issued by dozens of CA's (pinning excepted), is worth sinking lots of trust into is an entirely different matter ;)

[tialaramex]

The Web PKI does a pretty good job of making the web browser do what lay people assume it did anyway. Surely this is news.ycombinator.com or else why does it says so in the URL bar? Without the Web PKI there was no assurance of that whatsoever, which is not intuitively obvious.

But a very similar domain is the wrong domain. This is not a great novelty, people are aware that a ROJEX watch isn't the real deal, no surprise Fakebook isn't the social media site you actually wanted either.

In terms of authentication, this is where WebAuthn shines because it's tied to that actual domain name. Even if you're 100% dead certain this is really Facebook, your WebAuthn authenticator can't help you. There is no "Look, I know the URL says Fakebook, but ignore that, I am 100% sure this is really Facebook, just shut up and take my money" button.

[headmelted]

So my point was that having news.ycombimator.com in the title and address bar is not going to flag anything if they both match and have a SSL cert that's been signed by an authority.

Probably more relevant is that if I have registered luxowatch.com to sell my lovely watches, but am a small store, I certainly won't have registered (as yet) a bunch of global domains. There's nothing stopping you registering luxowatch.co.uk or luxowatch.net with a valid SSL cert to scam my potential customers. Cloning my site to one of those domains (with cert) can be done almost instantly for close to zero cost.