undefined | Better HN

0 pointswahern6y ago0 comments

> Trademarks are a different matter, but getting an EV cert for a company that has the same incorporated name as a different company in a different state is completely legal.

It is legal. But it's also much more easily traced (even through various shell companies as process agents want to get paid), which compared to the way most crime works on the internet is infinitely more risky for the perpetrator.

Also, companies like banks regular scour business records for similarly named businesses, which means the window for fraud is smaller. I'm not surprised that someone would find it easy to spoof Stripe, but let's see how long they manage to spoof PayPal or Bank of America. If they don't already, EV certificates should issue only after the named entity has existed for N months (or years).

0 comments

3 comments · 2 top-level

gruez6y ago· 1 in thread

>Also, companies like banks regular scour business records for similarly named businesses, which means the window for fraud is smaller

can't they also scour the certificate transparency logs as well? I'd imagine that's easier and more reliable than scouring the public records of hundreds or thousands of jurisdictions.

wahernOP6y ago

I'm sure they can and do. But it's not an either-or situation. Also, AFAIU, EV certs won't even issue without heightened scrutiny regarding domain name ambiguity.

When SSL first came out there was a heavy focus on informing the public to check for the padlock; that if they were worried about fraud then checking for the padlock was a concrete step they could take to help reassure themselves. But there was never a similar campaign regarding EV certs. There were attempts, but they were short-lived and not nearly as aggressive. Partly that's because the messaging was more difficult, but it could have been done.

Google could have put more effort behind it. But they weren't interested, partly because as someone else mentioned they have their own ideas about how to move forward, ideas that just happen to fit in better with Google's commercial interests. Some of those ideas are reasonable, but again this isn't an either-or situation. They're making it either-or.

koolba6y ago

Adding the word “bank” is problematic on its own as the naming itself is regulated.

There’s a separate rule that you can’t name a new bank “America” or “USA” or anything like that. The existing ones are grandfathered but no new ones are allowed.

j / k navigate · click thread line to collapse