Google allready supports 2FA with the new U2F protocol. With this protocol the app id (uri) is part of the process and its provided by the browser. Thus phishing attacks will fail.
Sadly Firefox and other broswers do not yet support this, only Chrome. I really hope this replaces the old 2FA TOTP style and specially SMS.
For people who want to use both, there is a nice solution. You can use YubiKey as your U2F token and for websites that don't support this you can use the YubiKey as your 2FA with the help of a android app called 'Yubico Authenticater' and NFC. I prefer it to Google Authenticator because I can move between android devices (just came in useful when my phone broke).
Google does not yet support NFC U2F on their mobile browsers as far as I know. Thats very sad, I really want to be able to disable HOTP solution.
See the protocol here: https://image.slidesharecdn.com/fidou2fin10minutescis2015-15...
Or use a U2F key as a second factor. Avoiding MITM fishing attacks is one its explicit design goals. In short: the MITM does not have the right key handle, so it cannot initiate the challenge-response.
U2F is supported by Google and Dropbox (since one or two weeks). Keys cost ~10-15 Euro a pop. Buy two keys, keep one with you, put the other in a fire-proof safe.
In theory, a phisher could register a company with a similar name to the target website's legal name, obtain a valid EV certificate for that, and then phish using a similar looking domain with a similar looking EV certificate legal name. In practice, if that were to begin happening, I'd like to think that the authorities in charge of legal entity registration (eg. Companies House in the UK) would start requiring identity checks for the legal entity registrations, and then phishers would not have an easy path to exploit this route.
> I'd like to think that the authorities in charge of legal entity registration (eg. Companies House in the UK) would start requiring identity checks for the legal entity registrations
Wait, they don't require that now?
For example, in the UK, the Lloyds Bank main website is lloydsbank.com, but click (on their insecure page) for online banking logon and you're taken to https://online.lloydsbank.co.uk.
The main website for another UK bank, NatWest, is on natwest.com (it redirects to http://personal.natwest.com), but click for online banking and you're taken to a page on https://www.nwolb.com
Telling users to check the domain is useless, since legitimate sites condition users to ignore it.
EV certificates do fix this to some extent, but users are not conditioned to check these, and it domain-validated certificates just complicate matters for them.
I would prefer to see legislation that mandates security standards for entities that handle personal data. In the UK, secondary legislation against an amended Data Protection Act that mandates EV certificates would work well for this, IMHO. This won't help the Internet at large, but would at least help condition UK users to know what to check.
But absolutely, anyone storing serious personal information (credit cards, banking information, social security numbers) should be required by law to have an EV cert.
CertSimple is run from London, 150 quid a year, and delivers EV certs faster than anywhere in the world - an average of 5 hours, rather than the industry standard 7 to 10 days'. it also has an 80 second request process without software installation or terminal Q and A:
I'd be happy if you used domain-validated SSL but browsers didn't make any claims about the security of connections without the EV cert though. For me this means no padlock icon whatsoever. After all - from the perspective of an ordinary user who cannot verify your domain, it is insecure.
Edit: how about "No claims about security to be presented to the user without EV certificates"?
Edit: With certificate pinning you could put out a msg to the User to verfiy if he understands that this is the first time he visits the site.
The problem is when to put out such a warning, i dont want to do that every time I go on a new site.