|
|
|
|
|
|
by Genbox
1604 days ago
|
|
|
How would you otherwise know that xoom.com is really PayPal? I believe it is PayPal because DigiCert say it is (with EV). That is much better than no validation - which is the default. Domains are not identities. They are a reference to an organization. PayPal owns more than 100 domains. Not only did DigiCert validate the organisation through various procedures (e-mail, paystub, id), but the validation is also asserted through a X500 name, which is cryptographically signed in the X509 certificate. So there is no way for others to spoof the identity. Attackers can easily copy the HTML/CSS/JS the website to look and feel exactly like PayPal. Then they can go to Lets Encrypt and get a certificate, which offers no assertion on their identity, other than "Attackers own the domain paypal.xom.com" (a domain they purchased to spoof PayPal). In that case, the EV certificate is the _only_ way you can check if it is really PayPal. |
|
|