[Kwpolska]

Turns out ”bank-grade security” is not something to strive towards. In the case of TLS certificates, most banks still believe they need EV certs, even though browsers stopped making any visual distinctions for EV certificates around 2018-2019.

[ocdtrekkie]

Apart from the fact one dev as a test exploited a loophole to make a single sort of convincing EV cert (which could easily be fixed by a policy change), EV certs are still vastly harder to exploit or clone than almost any other certificate. The eventual solution will be an EV cert that isn't named an EV cert so that the CA/B can protect their reputations for claiming they're a bad idea.

The fact the browsers stopped recognizing this is political, not based on any reality of sense. Everyone appeals to authority what the best way to do TLS is, and the problem is the authority is stupid.

[crote]

> which could easily be fixed by a policy change

It can't. Nothing is guaranteeing that organization names are globally unique, so getting an EV cert for a conflicting org name will always be possible. Well-known counterexamples are Apple (Beatles or tech company?), Nissan (computer repair guy, or car maker?), and Microsoft/MikeRoweSoft (some guy named Mike Rowe, or software giant from Redmond?).

Unless you're willing to retroactively cancel a massive number of trademarks, EVs with human-readable company names are not going to happen. The best you can do is some kind of unique company id, but who's going to check that "US0378331005" is the right one?

[ocdtrekkie]

This is actually not hard for most cases: Add a flag next to the name.

The other thing people don't realize is that cost is a huge mitigator: EV certs costing money makes them not worth using for an exploit.

[Kwpolska]

A flag of the country? Each US state has its own company register. A flag of the US state? Who is going to remember which company is incorporated where? Can you tell US state flags apart when they’re scaled down to a height of ~20 px?

[ocdtrekkie]

This is kinda looking for loopholes not recognizing the core reality of the situation. In addition to EV certs having a cost, you likely have to have a DUNS number which is globally unique, and that is a registry which can appropriately attribute you to a given country.

Is there many a hypothetical scenario where you could register a business, get a DUNS number, go through EV verification, be situated in the same country, somehow nobody stops you from registering an additional company called Microsoft?

...Maybe. And after spending a decent amount of money and leaving a massive trail of breadcrumbs to your identity with several different institutions, you will get sued, arrested, or both.

Meanwhile anyone can get a free Let's Encrypt cert for mlcrosoft.cn.

[Kwpolska]

Also, legal names of companies can sometimes not match the well-known brand, making it harder to decide if the EV cert was issued for the correct company.

[Kwpolska]

Is there any evidence of EV certs actually helping prevent phishing back when browsers showed them much more prominently? Or did users just not care/understand the difference?