> The reason why "Stripe, Inc." is interesting is because it disproves the whole claim that users can trust the business name displayed, because they can't.
The only people who made this claim, did it so they could attack it.
The only claim of the EV system is that the display name matches a real legal entity, which is not the same thing as being consumer-recognizable.
The intent with EV was that the presence of its UI element--regardless of what it said--would confer trust. The idea does not rely on users recognizing the company name any more than trust in physical stores relies on users memorizing street addresses.
The concept is that a legit company would opt to tie its online presence back to its legal entity (via an EV cert), but a scam would not because doing so would take more effort and make it harder to escape.
Again: this is analogous to the effort that it takes to set up a physical store. You can buy things off the back of a truck, but everyone knows that is sketchy. You don't know where that stuff came from, and you have no recourse once the truck drives away.
Setting up a store is a lot harder than driving up a truck--a company has to establish a legal presence in the jurisdiction, sign a lease, get a business license, comply with all sorts of regulations, pay taxes, etc. But they go through that effort because doing so confers trust. It is this system that is behind the social convention that it's ok to walk into a new store and hand them your credit card to buy something.
The goal of EV, of the CA system in general, was to try to create a similar set of trust signifiers and conventions online.
> The intent with EV was that the presence of its UI element--regardless of what it said--would confer trust.
I don't see how you can say that.
If I go to paypal.com and see "Joe's Pizza Shack" in the green text, there's no way I'm going to trust it.
If a phisher is capable of legitimately acquiring a certificate that says "Stripe, Inc." just as they could one that says "Joe's Pizza Shack", then the presence of the green text means nothing more than "someone was convinced to pay money for green text", and it certainly doesn't mean I'm talking to the company I thought I was.
And the ability to get a legitimate certificate saying "Stripe, Inc." means that EV can aid phishing attacks, because the existence of the green text is supposed to trump all other trust indicators ("is paypalcares.com legitimate? It's got the green 'PayPal, Inc.' text, it must be!").
Which is to say, users don't notice if the green text is gone, meaning it has no benefit, and users may trust the green text over other warning signs, meaning the ability to successfully spoof another company's green text makes EV an attack vector rather than a defense.
> then the presence of the green text means nothing more than "someone was convinced to pay money for green text"
It means someone was willing to pay money and publicly confirm their legal identity.
I think you under-appreciate the implications of that, and are overly focused on the mechanics of phishing (which is just one aspect of security). Even if EV certs are not any better than DV at preventing phishing, they're better for investigating phishing.
If that worked well, over time it would create a deterrence around using EV for crimes, which would not be perfect, but would create an improvement in trust.
But it doesn't work well. So to be clear, I'm explaining why EV certs exist--what they are actually for. I'm not claiming the system works great; in fact I think it's pretty crappy how poorly it's implemented by the browsers. As you note elsewhere, it's hard to see and do anything with the extra info in an EV cert. And I have to wonder why that is.
> Even if EV certs are not any better than DV at preventing phishing, they're better for investigating phishing.
Except general phishing sites won't use them, which means they won't do anything for investigating phishing. There's no need for phishing sites to use them since users don't notice.
The only real scenario where they'd be used is in a spearfishing scenario where it's worth the risk in order to snag a high-value target, especially because it's a lot less likely that your misleading EV cert will be captured by investigators (once you're done with that one target, take down the site before anyone can look into it).
The only people who made this claim, did it so they could attack it.
The only claim of the EV system is that the display name matches a real legal entity, which is not the same thing as being consumer-recognizable.
The intent with EV was that the presence of its UI element--regardless of what it said--would confer trust. The idea does not rely on users recognizing the company name any more than trust in physical stores relies on users memorizing street addresses.
The concept is that a legit company would opt to tie its online presence back to its legal entity (via an EV cert), but a scam would not because doing so would take more effort and make it harder to escape.
Again: this is analogous to the effort that it takes to set up a physical store. You can buy things off the back of a truck, but everyone knows that is sketchy. You don't know where that stuff came from, and you have no recourse once the truck drives away.
Setting up a store is a lot harder than driving up a truck--a company has to establish a legal presence in the jurisdiction, sign a lease, get a business license, comply with all sorts of regulations, pay taxes, etc. But they go through that effort because doing so confers trust. It is this system that is behind the social convention that it's ok to walk into a new store and hand them your credit card to buy something.
The goal of EV, of the CA system in general, was to try to create a similar set of trust signifiers and conventions online.