Welcome to WebmasterWorld Guest from 54.167.62.170

Forum Moderators: phranque

Extended Valuation Certificates can be deceptive

Their truth may not be the truth you expect

     
3:43 am on Dec 14, 2017 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 25, 2003
posts:1107
votes: 264


Oops.

Ian Carroll (@iangcarroll [twitter.com]) incorporated 'Stripe, Inc.' in Kentucky (Stripe, Inc. the payment processor is registered in Delaware) and then purchased an extended validation certificate.

On opening the following linked page take a look at the little green padlock, the green 'Stripe, Inc' (Safari) or 'Stripe, Inc (US)' (FF, Chrome) and the URL (FF, Chrome; not shown at all in Safari) at the top of the open browser window, consider the dark side implications, and then read the article:
Extended Validation Is Broken [stripe.ian.sh]


Extended validation certificates include information about the legal entity behind the certificate, but not much else. What a legal entity can be turns out to be quite flexible
...
Unfortunately, users are simply not equipped to deal with the nuances of these entities, and this creates a significant vector for phishing.
...
Today, I will demonstrate another issue with EV certificates: colliding entity names. Specifically, this site uses an EV certificate for "Stripe, Inc", that was legitimately issued by Comodo. However, when you hear "Stripe, Inc", you are probably thinking of the payment processor incorporated in Delaware. Here, though, you are talking to the "Stripe, Inc" incorporated in Kentucky. This problem can also appear when dealing with different countries.

Once again: caveat emptor.
9:23 am on Dec 14, 2017 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts:2749
votes: 110


part of the problem is browsers that hide or trim urls....