On the HN thread on Troy's last post about this, I said [1]:
"Big sites can get by with DV because people trust big sites by fiat, just by mental associations they already have to a URL. There's no benefit to Facebook having an EV cert, because literally everyone who'd want to visit Facebook knows Facebook's URL. User error about entering credentials on the wrong site -- accidentally due to typosquatting, or through leading such as phishing -- is better mitigated in other ways: multi-factor authentication (especially unproxiable such as U2F); not by making the high-profile site pay thousands of dollars for a text string in green, when there's users who fall victim to phishing from bizarre domains too."
Ultimately, this is a bad example to show that EV is pointless. The biggest benefit of EV is as a flawed signal of legitimacy [1] for sites whose URLs aren't widely known and get a fair amount of first-time visitors: web presence for real-life service businesses, specialized payment portals accessed through redirects, and the like.
This is because people's mental model of the trust that EV confers is broken. People typically care about whether the site they arrived at was the one they were intending to visit, which the computer can't possibly know without additional input, but EV has attained a role of serving as a flawed signal of such, because the browser bar said something that doesn't look alarmingly different.
EV formalizes the vetting between legal entity and domain name, so it translates okay to entities that are firmly anchored in meatspace. But all of this chaining is trust in people's heads is done by names and strings, and experiments like stripe.ian.sh prove [2] why it's fallible. Nonetheless, EV effectively allows one extra indirection between (1) the name of the business as people refer and recognize it, and (2) the domain name that's likely correct, than DV does -- and some operators and some visitors benefit from this indirection, when the URL doesn't roll off the tongue.
Never forget when ReadWriteWeb posted a blog post entitled "Facebook Wants to Be Your One True Login", which ended up ranking very highly for the search query "facebook login". It was subsequently innundated with comments from angry people who hated the new redesign and couldn't figure out how to log in... believing that they were on facebook, because they googled "facebook login" and clicked the first result.
I forgot about that one. It's interesting how people will hold on to their method of doing things, even if the workaround is harder than doing the direct thing: (one of the comments)
> for those of you that want to get in face book now just go to Bing..put in face book and search (or it will pop up) hit on face book login and it takes you to your password page...i did it....
if this ever gets back to normal I will use the address bar from now on.....
I'm not sure I'd agree with this. I don't think most people look at or really understand URLs or domain names. I think people assume they are a lot "fuzzier" than they are, so "facebookapp.com" or "facebook.foobar.com" or anything else would be assumed to be "Facebook" by most people.
As technical people it's easy for us to assume things that feel basic to us are at least understood but I don't think it's the case. My parents do most of their shopping online, and when I was growing up we always had computers around, but I don't think either one of them really understands URLs or things like file hierarchies, or windowing systems on desktops for example.
I have seen multiple people, mostly elderly, who will go to whatever search engine that loads by default in their browser, search for Facebook, and click on the link. Nothing close to everybody has Facebook's URL memorized.
I remember a few years ago when someone wrote a blog post about Facebook that somehow ranked higher than Facebook itself in Google search results for "facebook login", and was innundated by people who thought they were on facebook and left angry comments about how the redesign was terrible and they couldn't figure out how to log in.
A very non-trivial amount of people type "facebook" into Google and then click the first result.
I found the linked page from ian.sh is extremely instructive. [1] Especially the part about how some browsers hide the domain name when the EV certificate is in use.
I'm with a company that uses EV certificate for our site, mostly just to "look even more trustworthy", even though it functionally servers very little purpose for us, and in an industry where I doubt very few clients know what it really is. For large companies the cost of an EV certificate is negligible. If someone wanted to impersonate us, they would only need to change a letter or two and get a similar `.com` domain, which would be easy to do since we have a somewhat unusual name.
The linked article also talks about the possibility of people getting a shortened domain name like `g.uk` for phishing. If a company has a wide portfolio of sites, that becomes even easier since it weakens peoples association between a canonical domain and the company.
I guess the main point is that the DNS records themselves are one of the most effective preventions of phishing since you need a mapping from a user intent to the site they arrived at. Domain names provide a memorable and easily "mentally verifiable" method of mapping from "facebook.com" -> Social Media, "gmail.com" -> Email, etc. for most people. But strings of characters are also vulnerable since they can be easily changed by a transposition, or other operation, to create a new domain name that looks _very_ similar. Since our minds are much better at recognizing words by the beginning and end, they are vulnerable to changes in letters in the middle.
It makes one wonder if there is a system that would allow much easier mental verifiability of that mapping, but which would still allow a large number of possibilities. Or whitelisting sites that you regularly visit and alerting an individual on sites not in the whitelist or which _resemble_ sites in the whitelist.
EDIT: just to make clear, I think strings and domain checking mentally is a terrible model for verifying trust. But at least it kinda works some of the time, even though there are tons of vulnerabilities and problems. But probably better than typing in raw IP addresses, most of the time.
Thankfully even iOS (I believe starting with 12.2) no longer hides the full domain name when EV is present, but EV will still make the domain's characters turn green.
Security Keys fix the problem of credentials getting phished by making them unphishable (a Security Key will let you give evilguy.example credentials, but only for evilguy.example, they are utterly useless for facebook.com or goodguy.example or any other site, it dumbly refuses to help you give Evil Guy your real goodguy.example credentials)
More subtle manipulations from phishing remain possible, but they're trickier to pull off than just stealing people's passwords.
IIRC somebody has a proof like with Arrow's theorem - that the perfect desirable set of features for names can't be achieved, but I can't find it. Certainly you can see a different trade in Tor hidden services for example, bad guys can't get a name arbitrarily similar to yours, but your name is also mostly gibberish, so your users probably don't remember what it is anyway. Did they buy the last bag from greatweedxstrm4aqp.onion ? Or was it weedxgreatstre6g2q.onion ? And unlike conventional Phishing the plan is probably to break your door down and arrest you if you pick the wrong one which sucks worse than card fraud...
To note: Firefox (Nightly) on desktop for me rendered the false Apple domain near-identically to the real Apple, and for the two RF domains, the Cyrillic was used.
Iirc, the rule being used is the IDN gets rendered unless it crosses character sets. So your domain entirely in Cyrillic or Kanji is fine, but mixing them with Latin characters should be a no-no.
It should be. Unfortunately even really obviously fine cases like Swedish government agencies on the Sweden TLD (försäkringskassan.se), which by the way supposedly has a proper IDN policy that browsers should respect, don't get respected by all modern browsers :(
Looks like this is fixed in Chrome and Edge by default. In Firefox (release 67.0) you have to dig into about:config and flip the switch on network.IDN_show_punycode (this is discussed in the above demonstration article.)
"Big sites can get by with DV because people trust big sites by fiat, just by mental associations they already have to a URL. There's no benefit to Facebook having an EV cert, because literally everyone who'd want to visit Facebook knows Facebook's URL. User error about entering credentials on the wrong site -- accidentally due to typosquatting, or through leading such as phishing -- is better mitigated in other ways: multi-factor authentication (especially unproxiable such as U2F); not by making the high-profile site pay thousands of dollars for a text string in green, when there's users who fall victim to phishing from bizarre domains too."
Ultimately, this is a bad example to show that EV is pointless. The biggest benefit of EV is as a flawed signal of legitimacy [1] for sites whose URLs aren't widely known and get a fair amount of first-time visitors: web presence for real-life service businesses, specialized payment portals accessed through redirects, and the like.
This is because people's mental model of the trust that EV confers is broken. People typically care about whether the site they arrived at was the one they were intending to visit, which the computer can't possibly know without additional input, but EV has attained a role of serving as a flawed signal of such, because the browser bar said something that doesn't look alarmingly different.
EV formalizes the vetting between legal entity and domain name, so it translates okay to entities that are firmly anchored in meatspace. But all of this chaining is trust in people's heads is done by names and strings, and experiments like stripe.ian.sh prove [2] why it's fallible. Nonetheless, EV effectively allows one extra indirection between (1) the name of the business as people refer and recognize it, and (2) the domain name that's likely correct, than DV does -- and some operators and some visitors benefit from this indirection, when the URL doesn't roll off the tongue.
[1] https://news.ycombinator.com/item?id=18010961#18011914 [2] https://news.ycombinator.com/item?id=15904513#15909273