undefined | Better HN

0 pointseridius6y ago0 comments

> The intent with EV was that the presence of its UI element--regardless of what it said--would confer trust.

I don't see how you can say that.

If I go to paypal.com and see "Joe's Pizza Shack" in the green text, there's no way I'm going to trust it.

If a phisher is capable of legitimately acquiring a certificate that says "Stripe, Inc." just as they could one that says "Joe's Pizza Shack", then the presence of the green text means nothing more than "someone was convinced to pay money for green text", and it certainly doesn't mean I'm talking to the company I thought I was.

And the ability to get a legitimate certificate saying "Stripe, Inc." means that EV can aid phishing attacks, because the existence of the green text is supposed to trump all other trust indicators ("is paypalcares.com legitimate? It's got the green 'PayPal, Inc.' text, it must be!").

Which is to say, users don't notice if the green text is gone, meaning it has no benefit, and users may trust the green text over other warning signs, meaning the ability to successfully spoof another company's green text makes EV an attack vector rather than a defense.

0 comments

2 comments · 1 top-level

snowwrestler6y ago· 1 in thread

> then the presence of the green text means nothing more than "someone was convinced to pay money for green text"

It means someone was willing to pay money and publicly confirm their legal identity.

I think you under-appreciate the implications of that, and are overly focused on the mechanics of phishing (which is just one aspect of security). Even if EV certs are not any better than DV at preventing phishing, they're better for investigating phishing.

If that worked well, over time it would create a deterrence around using EV for crimes, which would not be perfect, but would create an improvement in trust.

But it doesn't work well. So to be clear, I'm explaining why EV certs exist--what they are actually for. I'm not claiming the system works great; in fact I think it's pretty crappy how poorly it's implemented by the browsers. As you note elsewhere, it's hard to see and do anything with the extra info in an EV cert. And I have to wonder why that is.

eridiusOP6y ago

> Even if EV certs are not any better than DV at preventing phishing, they're better for investigating phishing.

Except general phishing sites won't use them, which means they won't do anything for investigating phishing. There's no need for phishing sites to use them since users don't notice.

The only real scenario where they'd be used is in a spearfishing scenario where it's worth the risk in order to snag a high-value target, especially because it's a lot less likely that your misleading EV cert will be captured by investigators (once you're done with that one target, take down the site before anyone can look into it).

j / k navigate · click thread line to collapse