Extended Validation Is Broken

December 13, 2017 – 5:38 AM

Extended validation (“EV”) certificates are a unique type of certificate issued by certificate authorities after more extensive validation of the entity requesting the certificate. In exchange for this more rigorous vetting, browsers show a special indicator like a green bar containing the company name, or in the case of Safari completely replace the URL with the company name.

Generally, this process works fairly well, and there are few misissuances. There are not a lack of problems, however. Extended validation certificates include information about the legal entity behind the certificate, but not much else. What a legal entity can be turns out to be quite flexible; James Burton, for example, recently obtained an EV certificate for his company “Identity Verified”. Unfortunately, users are simply not equipped to deal with the nuances of these entities, and this creates a significant vector for phishing.

Today, I will demonstrate another issue with EV certificates: colliding entity names. Specifically, this site uses an EV certificate for “Stripe, Inc”, that was legitimately issued by Comodo. However, when you hear “Stripe, Inc”, you are probably thinking of the payment processor incorporated in Delaware. Here, though, you are talking to the “Stripe, Inc” incorporated in Kentucky. This problem can also appear when dealing with different countries.

How can a user tell which one you’re talking to? Browsers hide this information at first glance, at most showing the country of incorporation. Obviously, here, both the real and fake Stripe are in the same country. With enough mouse clicks, you may be able to open a system certificate viewer, or get your browser to show you the city and state. But neither of these are helpful to a typical user, and they will likely just blindly trust the bright green indicator.


You must be logged in to post a comment.