
PayPal's Beautiful Demonstration of Extended Validation FUD - Digit-Al
https://www.troyhunt.com/paypals-beautiful-demonstration-of-extended-validation-fud/
======
captn3m0
I run infra for a payments company and switched our main website from EV to DV
last month silently. This is the landing website, not the application (which
had always been DV). There have been ZERO people who have noticed, including
peers in my Infra or Security teams.

~~~
snowwrestler
It's obvious that EV does nothing for end users these days, which is why I
think these "EVs are useless" articles from Troy and others are kind of silly,
like dunking over a person with two broken legs.

I think the far more interesting question is _why_ EV certs do nothing for end
users, and why browser makers have not introduced any new features to replace
what EV certs were intended to do: help end users understand which websites
they can trust on first visit.

The entire Internet industry has absolutely punted on this problem. It's a
hard problem, but no one is trying to solve it!

And it is absolutely striking to compare against how well this problem has
been solved in real life, at least in the U.S. You can walk into any retail
establishment in the nation and reasonably expect to have a safe, productive
interaction with a proprietor you don't know--even on the first visit.

It's the exact opposite on the Internet, and it's insane that everyone just
accepts that.

~~~
viraptor
> this problem has been solved in real life, at least in the U.S.

I haven't spent enough time in the US to have an opinion about it, but in many
places this is not true. For example, taxi services in many countries seem to
pretty commonly be ripe for dodgy behaviours with little accountability.

It's really about that accountability - what are you going to do against an
internet entity which scammed you? How effective is that action going to be?

~~~
snowwrestler
> It's really about that accountability - what are you going to do against an
> internet entity which scammed you? How effective is that action going to be?

Accountability was supposed to be the extra value of OV and EV certificates.

If you look at the cert for
[https://www.walmart.com/](https://www.walmart.com/), you see the following
Subject fields:

    
    
        Common Name = www.walmart.com
        Organization = "Wal-Mart Stores, Inc."
        Locality = Bentonville
        State = Arkansas
        Country = US
    

The certificate authority (GlobalSign in this case) is attesting that this is
accurate identification information for this company--that you can use this
information to locate legal records for the company and contact it, sue it,
investigate it, prosecute it, etc. DV certs do not have the bottom 4 fields.

That's what the famous "green banner" in the address bar was supposed to
convey--that this website has a paper trail that can be used to impose
accountability.

That's NOT a guarantee that the website will treat you well. It is a guarantee
that you can try to do something if it doesn't. Even if a corporation is only
established temporarily for the purposes of getting an EV cert to run a scam,
that still leaves a legal paper trail. DV certs do not.

And this is a standards-based distributed system. It doesn't rely on one
company like Google or Microsoft, or one particular browser, or even one
particular CA. If Wal-Mart doesn't like GlobalSign anymore, they can go to
another CA like Digicert. If you don't like Chrome, you can use Firefox--they
can both read this cert information equally well.

IMO it is really a shame that the Internet industry was not able to lean into
this concept of accountability. For example, why don't browsers surface this
company contact info directly to consumers? The way that a consumer can easily
find the street address for a store they visit? Instead it's buried 4 clicks
deep in a complicated cert menu. Why don't they supplement it with a link to
the corporate record of the company? Or to the Dun and Bradstreet listin? Or
to the police department website in the registered locality? (Bentonville, AR
in the case of Walmart) Or to the Better Business Bureau in that state?

It just seems like there was been the opposite of innovation into this concept
of using certs to provide IRL accountability for websites.

~~~
Dylan16807
For accountability: Knowing who to sue doesn't really get my $50 back from
some jerk. The effort put into small claims makes it a net loss. My best
option is a chargeback, and the cert doesn't do anything.

For reputation: I have no idea if that's the company name of Wal-Mart. It's
barely better than verifying the domain name.

~~~
snowwrestler
If you walked into a store on Main Street and got scammed for $50, would you
just throw up your hands? Or would you call the cops? If you did call the
cops, they would have the address of the store to start their investigation.
And aside from maybe getting you your $50 back, the state might prosecute the
scammer for committing a crime.

EV and OV certs are intended to provide similar information. If you report a
scam by a website with an EV or OV cert, the police can use the information in
the cert to start their investigations. There's more to accountability than
small claims court.

Setting aside the cert issue, it's just striking how many people take it for
granted that there are no consequences and no recourse for online crimes. How
did we come to accept this as normal, as a society?

~~~
Dylan16807
In person I'd try some things. Online I really doubt the cops are going to
care about $50.

> How did we come to accept this as normal, as a society?

Probably because it's so much harder to pin down specific actors. That cert
only does so much.

------
jzl
I'm surprised no one has mentioned the main practical benefit of EV certs: the
fact that a green cert in the browser ensures that there is no man-in-the-
middle network proxy/appliance intercepting the traffic even if a trusted
certificate for the proxy/appliance (or bad guy) has been placed in your
machine's cert store. Browsers will only honor the EV setting in the cert if
it was signed by a hardwired (and much shorter) list of CAs.

As long as you, the user, trust that the browser itself hasn't been modified
(for example if you downloaded it yourself), then it's a nice reassurance when
using a browser in a not totally trusted environment.

~~~
CherryJimbo
Browsers are moving away from showing differences between EV and DV certs
nowadays though. And anyone can register a company name and get an EV cert -
that doesn't make it trusted. [https://stripe.ian.sh/](https://stripe.ian.sh/)
is a prime example of this.

HTTPS is a nice reassurance, sure, but an EV cert isn't.

~~~
LeoPanthera
> [https://stripe.ian.sh/](https://stripe.ian.sh/) is a prime example of this.

It used to be. All his EV certs were revoked.

~~~
CherryJimbo
Sure, but my point doesn't change. [https://scotthelme.co.uk/the-power-to-
revoke-lies-with-the-c...](https://scotthelme.co.uk/the-power-to-revoke-lies-
with-the-ca/) is a good write-up about that.

------
geekpowa
"PayPal really doesn't care that the world's most popular browser no longer
displays the EV visual indicator."

OT but hopefully interesting: Paypal doesn't care about many things. Like
keeping their callback JVMs up2date, or changing their UAs from defaults to
disguise their enabling tech.

2019.05.20 xxxx|173.0.81.33|xxxx|POST xxxx/paypal/callback
HTTP/1.1|200|954|-|Java/1.8.0_60|xxx|xxxxxxx 2

~~~
nikanj
I'm really happy that Paypal ops is not upgrading anything just for the sake
of upgrading it. At that scale, changes should be approached with extreme
caution.

~~~
jmgrosen
Well, perhaps they should upgrade it for the sake of the ~170 CVEs that have
been published against Java 1.8.0_60?
[https://www.cvedetails.com/vulnerability-
list.php?vendor_id=...](https://www.cvedetails.com/vulnerability-
list.php?vendor_id=93&product_id=19116&version_id=&page=4&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=1&trc=597&sha=52d5e2189c154fbfa1e3d4ba0a13fc6b00642bc4)

Sure, a lot of those probably don't apply to how they're using Java, but I'd
bet at least a couple do.

~~~
sroussey
Vendors often backport CVEs without changing version numbers.

~~~
viraptor
Or review the details and decide that the specific issue doesn't apply to
them. This actually makes sense in larger environments.

------
blattimwind
Firefox 66 does not show EV indicators, either, any more.

But I would also like to point out that PayPal is a known bad player when it
comes to phishing, so no one really should give a damn what they do, and if
you do the opposite of what PayPal does in security you are probably doing
better than them.

~~~
Leace
Interesting because I've got Firefox 67 and Paypal.com does show EV indicator.
Actually I see the same in Google Chrome 74.

~~~
penagwin
I'm seeing the EV indicator with Chrome 74.0.3729.169 on Mac OSX Mojave 10.14
(18A391)

Edit: I also see the EV cert on Firefox 66.0.5 and 67.

I can't really tell if safari has an EV indicator or not? I really don't use
it much but it looks like this
[https://i.imgur.com/9asQkbN.png](https://i.imgur.com/9asQkbN.png) Safari
version 12.0 (14606.1.36.1.9)

~~~
alistairSH
On MacOS, Safari uses the green (as shown in your png) for EV certs. HN does
not appear to have an EV cert, as it's a gray padlock (not green). And, Paypal
does appear with the EV green on my Mac as well.

------
smnrchrds
Tangential question: neither McDiarmid's "Kill Sticky Headers" [0] nor its
improved version [1] work on this website. Does anyone know how the
bookmarklet can be changed to work here?

[0] [https://alisdair.mcdiarmid.org/kill-sticky-
headers](https://alisdair.mcdiarmid.org/kill-sticky-headers)

[1]
[https://news.ycombinator.com/item?id=19962875](https://news.ycombinator.com/item?id=19962875)

~~~
fiddlerwoaroof
Is the bookmarklet being blocked by a CSP? There should be an error in the
console about that (on chrome, at least)

~~~
smnrchrds
Indeed it is. So I guess there is no way around it?

~~~
Someone1234
A browser extension. Most can run in a context above CSP.

~~~
fiddlerwoaroof
Yeah, interestingly enough the CSP spec says that this behavior is wrong, but
browser makers don’t seem to care.

[https://bugzilla.mozilla.org/show_bug.cgi?id=866522](https://bugzilla.mozilla.org/show_bug.cgi?id=866522)

[https://bugs.chromium.org/p/chromium/issues/detail?id=233903](https://bugs.chromium.org/p/chromium/issues/detail?id=233903)

~~~
bzbarsky
We do in fact care. I put up a fix on
[https://bugzilla.mozilla.org/show_bug.cgi?id=1478037](https://bugzilla.mozilla.org/show_bug.cgi?id=1478037)
just yesterday which will make [https://alisdair.mcdiarmid.org/kill-sticky-
headers](https://alisdair.mcdiarmid.org/kill-sticky-headers) work in Firefox
no matter what the CSP says. I fully expect to get that landed sometime in the
next few weeks.

Making CSP not affect bookmarklets at all (as opposed to not affecting whether
they execute) is a different situation entirely, because bookmarklets by
definition execute in the JS environment of the page (unlike extensions, say),
so it's not really possible to tell apart things that the bookmarklet does
from things the page does. For example, what should happen if the bookmarklet
calls a page-defined function that then does a subresource load? What if a
bookmarklet defines a function to do a subresource load that the page later
calls? Note that from the point of view of the JavaScript engine the functions
the bookmarklet defines and the ones the page defines are indistinguishable
from each other...

~~~
fiddlerwoaroof
Sorry, I was a bit frustrated with how long that (and similar bugs in other
browsers) have been open without resolution.

~~~
bzbarsky
I can understand that, for sure!

------
niftich
On the HN thread on Troy's last post about this, I said [1]:

 _" Big sites can get by with DV because people trust big sites by fiat, just
by mental associations they already have to a URL. There's no benefit to
Facebook having an EV cert, because literally everyone who'd want to visit
Facebook knows Facebook's URL. User error about entering credentials on the
wrong site -- accidentally due to typosquatting, or through leading such as
phishing -- is better mitigated in other ways: multi-factor authentication
(especially unproxiable such as U2F); not by making the high-profile site pay
thousands of dollars for a text string in green, when there's users who fall
victim to phishing from bizarre domains too."_

Ultimately, this is a bad example to show that EV is pointless. The biggest
benefit of EV is as a flawed signal of legitimacy [1] for sites whose URLs
aren't widely known and get a fair amount of first-time visitors: web presence
for real-life service businesses, specialized payment portals accessed through
redirects, and the like.

This is because people's mental model of the trust that EV confers is broken.
People typically care about whether the site they arrived at was the one they
were intending to visit, which the computer can't possibly know without
additional input, but EV has attained a role of serving as a flawed signal of
such, because the browser bar said something that doesn't look alarmingly
different.

EV formalizes the vetting between legal entity and domain name, so it
translates okay to entities that are firmly anchored in meatspace. But all of
this chaining is trust in people's heads is done by names and strings, and
experiments like stripe.ian.sh prove [2] why it's fallible. Nonetheless, EV
effectively allows one extra indirection between (1) the name of the business
as people refer and recognize it, and (2) the domain name that's likely
correct, than DV does -- and some operators and some visitors benefit from
this indirection, when the URL doesn't roll off the tongue.

[1]
[https://news.ycombinator.com/item?id=18010961#18011914](https://news.ycombinator.com/item?id=18010961#18011914)
[2]
[https://news.ycombinator.com/item?id=15904513#15909273](https://news.ycombinator.com/item?id=15904513#15909273)

~~~
danpalmer
> literally everyone who'd want to visit Facebook knows Facebook's URL

I'm not sure I'd agree with this. I don't think most people look at or really
understand URLs or domain names. I think people assume they are a lot
"fuzzier" than they are, so "facebookapp.com" or "facebook.foobar.com" or
anything else would be assumed to be "Facebook" by most people.

As technical people it's easy for us to assume things that feel basic to us
are at least understood but I don't think it's the case. My parents do most of
their shopping online, and when I was growing up we always had computers
around, but I don't think either one of them really understands URLs or things
like file hierarchies, or windowing systems on desktops for example.

~~~
cwyers
I have seen multiple people, mostly elderly, who will go to whatever search
engine that loads by default in their browser, search for Facebook, and click
on the link. Nothing close to everybody has Facebook's URL memorized.

~~~
danpalmer
Not everyone knows what a URL is, or understands the difference between a
search box and a URL text box.

------
JohnFen
I'm one of those who doesn't pay any attention to those EV cards at all. I
know I probably should, just out of completeness, but I don't. In fact, with
Firefox anyway, that spot where the EV indicator goes is used for enough weird
little things that I've sorta developed a blindness to anything that appears
there (I'm not saying that's a good thing!)

However, if I'm going to a site that really matters, I'm not clicking on some
link on a web page or email somewhere. I'm using the link I've bookmarked. So,
ignoring the EV cert is probably not putting me at too much risk.

~~~
syn0byte
I (used to) implement EV certs among other duties and _I_ don't pay attention
to them either.

Step One: Create Doofenshmirtz Evil LLC.

Step Two: Register HugsAndTrustBanking.com to LLC

Step Three: Get the legal services of Dewy Cheetum & Howe to issue a letter
stating Evil LLC is your legitimate business.

Step Three: Show CA "proof" of ownership for Doofenshmirtz Evil LLC and
HugsAndTrustBanking.com.

Step Four: Get genuine EV cert for your shady scam operation.

Step Five: Profit.

EV certs are dumb, you can trust me on that[0].

[0][https://i.imgur.com/1dbJUQ9.jpg](https://i.imgur.com/1dbJUQ9.jpg)

~~~
RcouF1uZ4gsC
Steps 1-3 generate quite a paper trail for you and step 3 generates a paper
trail for Dewy Cheetum & Howe.

Without an EV Certificate, you can just buy a domain name and use LetsEncrypt
to generate a DV certificate which is a much smaller paper trail.

------
Mbaqanga
"PayPal really doesn't care that the world's most popular browser no longer
displays the EV visual indicator."

Funny story - I was about to rant that yeah, it probably wasn't by design
because Paypal still as of 2019 didn't offer 2FA which, for a payment company,
was quite disturbing...

well, turns out I was wrong, they now do. I just hadn't checked in a while,
and of course received no email about it when they did turn it on... or maybe
just missed it. Typically something you should advertise on each login if it's
not activated, but hey, who cares, it's just money after all.

~~~
jtdowney
PayPal was very early in the 2FA movement, hardware security keys were
available starting in ~2008 ([https://systembash.com/using-the-paypal-
verisign-security-ke...](https://systembash.com/using-the-paypal-verisign-
security-key-with-openid-for-two-factor-authentication/)). If you're referring
to app based TOTP that is a relatively new option.

I was prompted to change to TOTP when I logged in.

------
unilynx
> Note: yes, I know there can be regulatory requirements for EV in some
> jurisdictions, but let's not confuse that with it actually doing anything
> useful

That exactly. Similarly confused about customers who think OV certificates are
better than DV - as far as I can tell no end user knows how to tell those
apart in their browser (no 'green' locks...)

------
nailer
Speaking of FUD:

> "the true meaning of SSL certificates"

The certificate fields for organisation, city, etc have existed and were
expected to be verified since SSL was created in the nineties. Anyone who has
ever made a CSR knows this.

Rolling back from checking the organisation to domain-only validation in 2003
was GeoTrust trying to increase profit margins. Again, Troy should already
know this and it's surprising he doesn't seem to.

Oddly enough Troy also Tweets from a verified account, which seems somewhat
unusual since a well known username should be enough according to his logic
against verifying websites.

Heads up: I run CertSimple, a startup that does faster, simpler verification
for EV.

~~~
tialaramex
I don't want this to end badly for you (via CertSimple), but as you perhaps
come to anticipate my primary concern is always preventing Future Harm. EV
hasn't been effective for that purpose.

The article I've just read never uses the phrase "the true meaning of SSL
certificates" that I can see, if that was removed I apologise but otherwise I
think I have to assume you're putting words in Troy's mouth.

"The certificate fields for organisation, city, etc have existed and were
expected to be verified since SSL was created in the nineties. Anyone who has
ever made a CSR knows this."

Anyone who understands what's actually going on here knows that these are part
of the X.500 directory system and are present in Netscape's SSL because it
leverages that systems's X.509 certificate format. In 1999 PKIX (RFC 2459)
proposes how to use this system sensibly with the Internet and the modern Web
PKI largely falls out of that and its successor documents.

Prior to the CA/B Forum (and the creation of Extended Validation) the only
promises you had about what, if anything, in certificates you relied on had
been "verified" and to what extent, was written in the legal documents of the
issuing CA. In most cases they disclaimed all or almost all responsibility to
the extent possible. Their methods were... unsound.

Even today, when if you run Firefox (or more or less, Android) you can
actually trust that someone cares whether the validation was done properly,
it's more slip-shod than any of us should want. What has Certinomis been up to
for the past few years? What are all these certificates doing with ST=Some-
State (yes, literally the words "Some-State", because that's the default in
OpenSSL)? or L=Default City (again, the default in OpenSSL)?

I think we can reasonably conclude that the reason nobody engaged with my
questions about those is that the answers would be embarrassing and they're
hoping that if they stay quiet nobody will follow up by asking why they're
filling this crap out (to make money) if they can't validate it properly...

~~~
nailer
The full sentence from the article is:

> Frankly, I think this is more a symptom of people coming to grips with the
> true meaning of SSL (or TLS)

I did add 'certificates' so it read better (the system is PKI not SSL) but yes
it's from the article.

Yep, they're x509v3 fields. Netscape was under no obligation to include them -
they simply could have included CN only if they thought people didn't want to
know the organisation they were communicating with.

However Organisation was included by Netscape and it was verified until
GeoTrust invented DV (and later other CAs copied it to compete with the low
margins of not checking identity. Totally agreed about the poor quality of
verification during the 90s though (fax on company letterhead etc).

The one thing that hasn't changed in 20 years is that people still want to
know who they're communicating with online.

~~~
nailer
(DC would also provide a tree structure if Netscape had wanted to use domain
names as the exclusive form of identification - but they didn't. The objection
was to verify enough information for commerce, which domain names clearly do
not)

------
lmm
How long ago was it that users didn't notice or care if the URL was
[http://](http://) rather than [https://](https://)? Yet no-one was declaring
HTTPS dead on those grounds.

~~~
scrollaway
Apples and encrypted oranges. There's no actual technical difference between
EV and DV for the end user, much unlike https vs http...

Why does my comment have to be spelled out anyway? I'm having a hard time
believing you don't know that or haven't realized it.

~~~
lmm
> Apples and encrypted oranges. There's no actual technical difference between
> EV and DV for the end user, much unlike https vs http...

What does it matter to the end user whether the difference is technical,
legal, or procedural? The user just wants to be able to tell the difference
between a legit site and a phishing spoof.

> Why does my comment have to be spelled out anyway? I'm having a hard time
> believing you don't know that or haven't realized it.

The article points out that users and paypal didn't care that their domain
wasn't using EV, as if this were a slam-dunk argument against it. But that
argument would go through just the same for a domain that wasn't using HTTPS
at all.

~~~
scrollaway
The difference matters because http vs. https makes a difference regardless of
what the user or HN commenters think, whereas EV relies entirely on the user
acting in a way that is entirely theoretical and not seen in practice.

