Extended Validation is Broken

Saved on .

Today, I will demonstrate another issue with EV certificates: colliding entity names. Specifically, this site uses an EV certificate for “Stripe, Inc”, that was legitimately issued by Comodo. However, when you hear “Stripe, Inc”, you are probably thinking of the payment processor incorporated in Delaware. Here, though, you are talking to the “Stripe, Inc” incorporated in Kentucky. This problem can also appear when dealing with different countries.

In this post, Ian outlines several Web security-related flaws in current-era browser user interface. Browsers, in an attempt to be clever, obfuscate several important pieces of information that might provide users with details about the people behind a particular website. On top of that, Ian demonstrates flaws in the cross-jurisdicitonal systems that allow for the coexistence of like-named but unrelated business entities.

Browser vendors treat extended validation certificates as special cases, giving them visual priority over standard TLS certificates. The average user won’t know the difference—nor should they—when they see “Trusted Company X” highlighted in green in their browser’s URL bar. The expectation is that they’re actually viewing Trusted Company X’s website and not the website of some rando with a little bit of money to spare.

Visit “Extended Validation is Broken”