[zuzun]

I don't see what's fundamentally wrong with EV certificates, as long as the certificate authorities do the proper verification. The certificates contain more than just the business name, so I think the criticism should be directed towards browsers that hide the relevant information behind 5 clicks.

[blurker]

What about the Stripe Inc. example? That example alone is a pretty big nail in the coffin for EV in my opinion. Not to mention all the usability problems that user studies have found which render it effectively useless. It's not just the number of clicks either. What about how the corporate names don't match the TLD's? What about conglomerates that have all sorts of entity names? What about misspellings of corporate names, just like misspellings of TLD's?

[snowwrestler]

The Stripe.com example is widely misunderstood, even by the person who did it.

It doesn’t matter that it was a name collision with Stripe the payment processor. EVs were not designed to resolve name collisions. They were not even intended to attest that a business is legitimate.

What matters is that Ian had to register a company to get that EV. Which means that if he had actually tried to scam people with it, the police would have a nice paper trail back to him.

The paper trail is the deterrent. All the EV does is attest to the existence of a paper trail.

Name collisions are not a problem in general. There are other people in the U.S with the same first and last name as me. There are thousands of restaurants called “McDonalds” that all look the same even though they are owned by different companies.

It’s a solved problem. It is solved with legal documentation, like taxpayer ID numbers, articles of incorporation and payment records. The sole purpose of EV and OV certs is to cryptographically connect your browser to those.

[roywiggins]

> What matters is that Ian had to register a company to get that EV. Which means that if he had actually tried to scam people with it, the police would have a nice paper trail back to him.

Well, maybe. Maybe not:

> company formation agents signed up people who, for a fee, would declare themselves directors of newly created companies. Edwina Coales, a serial director of companies registered at 29 Harley Street, is or has been an officer at 1,560 of the companies listed on the Companies House website...

> In Britain, almost half of agents were happy to sell a company without checking the identity of the person buying it. If the agent does not record the beneficial owner of a company, then there is no way law enforcement officers can discover that information...

> From 2010 to 2013, cold callers harassed thousands of British households with claims that land near the Brazilian seaside town of Fortaleza would rocket in price thanks to the then-forthcoming World Cup. The cold callers seemed plausible, and 600 people put up a total of £19m. But, in 2013, the Insolvency Service stepped in, forcibly winding up a group of related companies involved in the scam, among them Pantheon Limited, and Pantheon Realty Consultancy Limited, both registered at 29 Harley Street.

> The only culprits the authorities could find were Ismael Rajabi and Ahmed Mohammadi, both from Afghanistan, whose names appeared on the companies’ registration documents. They are real people, but Companies House had, of course, not checked if they actually were the owners of the companies, which they were not. The real shareholders vanished, taking the investors’ money with them, and all the law could do was disqualify Rajabi and Mohammadi from being directors for 11 years.

https://www.theguardian.com/business/2016/apr/19/offshore-ce...

[blurker]

yeah, about that paper work...

1. The paper trail is probably not as good as you think. I feel like you're thinking of a US system where there might be some pretty solid systems in place, but what about all the other countries around the world? I'm sure there will be at least a few places that will not be great paper trails.

2. The paper trail only helps you after you've been scammed as a way to maybe track down whoever did that. A costly and time consuming process which may be next to impossible if you think about the complications of shell companies and legal jurisdictions. Or are you suggesting that before you use a site you go through all this work proactively?

[snowwrestler]

1. An EV or OV cert tells you where the company is registered. So the user, presented with this information in a nice UI, would be empowered to decide whether they want to order a new laptop from a store in their own jurisdiction, in a country with a legal system they can trust, or from anywhere.

2. Companies and law enforcement have lots of experience tracking paper trails. Is it perfect? No, obviously not. But it has worked well enough offline that in jurisdictions with good rule of law, we have little fear about checking out a new shop or restaurant for the first time.

[blurker]

Even if it's registered in a local jurisdiction, the paper work may not be reliable and it will be possible for scammers in those jurisdictions to get that paper work. It's not like there aren't plenty of shady incorporated companies already. It's still going to be a time-consuming and expensive process to track down the paper trails. Probably it will require a specialist. It can get pretty difficult pretty quickly as people use shell companies and god knows what other tricks that are available in these systems. And the police aren't going to just jump on the case and do this all for you. They don't have the resources. For the average person, your police report is going to go in the bin. You're gonna have to do a lot of work or pay someone to do it.

- there will be scammers even in the areas with stronger legal systems (look at one of the other sibling commenters RE: Britain, for example)

- having a paper trail is reactive, not proactive

- the average person will have a difficult time tracking down a paper trail

[zuzun]

I must admit, I didn't consider that many US companies are incorporated in Delaware and otherwise hide their whereabouts. I checked the certificates of my bank and my tax authority and both provide sufficient information, which makes spoofing almost impossible.

[commandlinefan]

My problem with EV certificates is that you're paying more for the certificate authority to do what they were supposed to be doing in the first place.

[simiones]

The certificate authority has no requirement to verify that they are emitting a certificate to a human person that has any legal right to the domain name they are obtaining the certificate for.

All the PKI requires of CAs (for DV certs) is to ensure that the entity requesting a certificate has control of the domain name they are requesting the certificate for. That entity may very well be a server, not a person; and it may very well be malware that has infiltrated on Google's servers, requesting a certificate for google.com. It's not up to the CA to verify which it is, for DV certs.

[bell-cot]

> ...as long as... ...browsers that hide...

Sounds like EV is great in theory, nigh-worthless in practice.