So it was always the case there might be more than one stripe inc.
The problem is the browsers display of that information. Knowing this, why would you hide the domain of the website?
Quite often the mods will combine/replace a thread when this happens.
I'm definitely not defending Safari's UX choices for defaulting to hiding the website address. I disagree with Apple's decision. However, when there's a configurable way to solve the issue there's no reason to abandon the software.
You can re-enable the link if, like me, you'd like it to be quickly available.
chrome://flags/#show-cert-linkI don't see how we could provide a totally safe network of sites (where you can trust the identity of every site you're visiting), without having a "safe internet" where all the sites are known in advance and you can't leave this walled internet. But I really don't like the idea.
Maybe something like keybase could help, where sites could link their identity to social network accounts (twitter, Facebook, GitHub) or other websites.. and the browser would verify those connections (but it still faces a UI challenge)
Keybase already has your Public Key so to prove you own a domain it is sufficient to put a signature up and available in DNS to validate this claim.
An attacker does not have this validation signature and can thusly not arbitrarily sign sites as you.
I don't see how keybase would help for a Certificate Validation, especially since Keybase makes no actual attempts at indentifying you (that is a problem of your social circle on keybase)
Or do you check if the domain is similar to another one?
This is a very hard problem. Maybe the similar name approach could work if it displayed just a warning to the user when he visited a site owned by someone with a similar name to a sensitive site.
One of the top comments there suggested that the solution lies in relying on DNS which provides "globally unique" names.
But the commercial CA system already relies on domainnames. That is its weakpoint.
The author at ian.sh shows how additional checks by third party CAs, e.g., business registration, do not necessarily solve the problem either.
The best proposals I have seen for solving the problem are ones that have no reliance on third parties, e.g. certificate vendors, domainname vendors, etc. Another way to think of non-reliance on third parties is "middlemen". If they are necessary, then the system is vulnerable.
It is a very old problem that apparently has never been fixed. Today solutions that try to avoid middlemen do exist. But comprehension of why this is necessary is apparently still small-scale because focus remains on the commercial CA business, which seems to be at odds with any system that needs no such middlemen.
This author, who many HN readers know, explains it much better than I can: http://sprunge.us/NHTK
Users or businesses can create and exchange their own public keys directly. (Think of HTTPS like SSH.) They do not have to rely on third parties to assist them.
One does not need a third party CA to perform effective encryption. Have you ever wondered if browser warnings are an insidious way to keep commercial CAs in business?
Public keys are globally unique. Names are not. One could combine them (e.g. key fingerprint plus name) to form an identifier that is better than a name alone.
Recap:
Names alone are not enough to perform effective disambiguation via ICANN DNS or major-browser sponsored CA system. Volunteer-supported Wikipedia actually does a better job of disambiguating names than these commercial services.
Public keys can be generated directly by the named entity they represent instead of by third parties. Middlemen are unnecessary and cause the system to be vulnerable.
s/instead of/in addition to/
For example, DNSCurve-enabled nameservers are in the form key.name.tld, cjdns addresses have a key fingerprint embdedded in the users IPv6 address, etc.
Alternate:
http://ix.io/D2F (html)
Here in the UK there is another problem with EV certs, there is no way of registering a "trading name" or "doing business as (DBA) name" against a company so you can only have an EV cert issues against your actual registered business name. If that is different from your trading name and what you use as your domain name then they are less than worthless. For example, if the company is "Widgets of London Limited" but trade online as "Widgets Online" with the domain "widgetsonline.com" they cant get an EV cert with "Widgets Online" as the name - even if they own the registered trademark of it.
See https://certsimple.com/help/doing-business-as-or-trading-nam...
Maybe another solution to this is not to show just business name directly, force it to show the domain as well unless there is a registered trademark that is proven to be owned by the organisation and only then go the safari route of showing a shortened name?
> There will undoubtedly be many proposed solutions to this issue. Ultimately, though, any method that ends up giving users a legal entity is fatally flawed. As a result of how extended validation certificates work, browsers have few options to fix this. Having said that, they can take steps to ensure EV certificates do not override other critical parts of the user interface, like Safari does.
[0] Edit: Actually, on this note, might I suggest the HN link be changed to point to https://stripe.ian.sh/
This seems reasonable to me. If I had to chase you in court, I'd need your actual registered business name, and not your trading name. Further, there can be no verification of your trading name as there is no central registry or deduplication of trading names. If you could get a certificate naming your trading name, then so could a fraudster.
This does make trading names less useful on the Internet. As a consumer, I don't feel anything of value has been lost.
> ...unless there is a registered trademark that is proven to be owned by the organisation...
This doesn't work either since trademarks don't exist in a single namespace. A fraudster could register a trademark matching yours but for use in a different market.
On the topic of certs, last year, when Google announced they were now a root CA [1], I remarked that this made a lot of sense, because "who better to say that Google is indeed Google than Google itself?" [2]
I went on to write that not everyone runs a root CA because coordination of trust between various parties is difficult, and so are the mechanics and practices of running a CA, but if your browser (and/or OS) is the final gatekeeper of the trust anyway, why not just push trust towards the edges and out of the middle? Certainly, the most-visited websites could easily be in this boat.
As it stands today, the most-visited websites already don't use EV, because DV certs are good enough for their needs. People trust their website by fiat, simply by mental associations about their domain names, an imperfect process that makes plausibly-looking domain names such an effective tool for phishing. But users already fall for phishing conducted from ridiculous domain names too, so there's not much point.
[1] https://pki.goog/ [2] https://news.ycombinator.com/item?id=13495262
https://wiki.mozilla.org/CA/Dashboard#Information_Verificati...
Mozilla's process takes about two years on average (Google know what they're doing so it might be 18 months, people who are hapless or clueless often take 5+ years and give up) and most other trust stores seem to take longer, although heaven only knows what they're doing since we can't see it.
Ran this one through SiteTruth. It does display that the company is in Kentucky, but that's not too helpful.
The EV cert has something I haven't seen before - two StreetAddress fields:
streetAddress=STE 100
streetAddress=212 N. 2nd St
[1] http://www.sitetruth.com/fcgi/ratingdetails.fcgi?details=tru...
Note that for a real criminal enterprise these values are not likely to be useful. Best case they're a company doing secretarial stuff for thousands of clients they've never met. Worst case it's a building site.
Not unless they're in the same line of business. See https://www.nolo.com/legal-encyclopedia/question-trademark-i...
The Ars Technica link is just blogspam.
How? Jimmy B User obviously didnt know the correct url, thats how he got to the wrong site. A url like "htts://stripe-payments.com" in this scenario would look reasonably legit to most people.
For countries that don't have national business registration, browsers perhaps need to show more than just [US] etc.
But even then - how do I know what state Stripe is registered in?
Jimmy B may well know the right URL, but have clicked a maliciously crafted link in a phishing email or something similar. Jimmy may also have made a typo and have a chance of spotting it in the address bar.
It's not a perfect solution, but it'd help.
The same basic idea with email is helpful as well, creating a visual distinction for senders you expect to receive mail from and unknown senders. I don't think it is perfectly reliable due to issues with email but it does catch all phishing attempts that I've seen personally.
The GNU Name System or similar would help in some cases, but I don't think it really solves this particular problem. To confirm that a site is one the user cares about, the best way to do that is for the user to indicate that a site is one they care about and then look for that in the future. Then they only need to get the correct site once.
[note] Some banks would still defeat this by creating short term marketing campaign domains and then allowing them to expire... I guess to deal with that there would need to be a way to mark the main long term domain and give other domains the ability to ask a different domain to vouch for them as from the same organization. Then the user could just add one domain bookmark and it would just work for all other domains from that organization. At least unless the bank forgets to update that list before the domain expires...