Difference between revisions of "EV Cert"
(→Problems) |
(→Links to other problems with EV) |
||
| Line 8: | Line 8: | ||
Ian Carroll summarized some of the issues [https://stripe.ian.sh/ here] which includes this comment EV "certificates include information about the legal entity behind the certificate, but not much else. What a legal entity can be turns out to be quite flexible; James Burton, for example, recently obtained an EV certificate for his company "Identity Verified". Unfortunately, users are simply not equipped to deal with the nuances of these entities, and this creates a significant vector for phishing." | Ian Carroll summarized some of the issues [https://stripe.ian.sh/ here] which includes this comment EV "certificates include information about the legal entity behind the certificate, but not much else. What a legal entity can be turns out to be quite flexible; James Burton, for example, recently obtained an EV certificate for his company "Identity Verified". Unfortunately, users are simply not equipped to deal with the nuances of these entities, and this creates a significant vector for phishing." | ||
===Links to other problems with EV=== | ===Links to other problems with EV=== | ||
| − | [https://www.bleepingcomputer.com/news/security/extended-validation-ev-certificates-abused-to-create-insanely-believable-phishing-sites/ Extended Validation (EV) Certificates Abused to Create Insanely Believable Phishing Sites] | + | *[https://www.bleepingcomputer.com/news/security/extended-validation-ev-certificates-abused-to-create-insanely-believable-phishing-sites/ Extended Validation (EV) Certificates Abused to Create Insanely Believable Phishing Sites] |
| + | *[https://www.typewritten.net/writer/ev-phishing/ First part of Phising with EV] | ||
| + | *[https://stripe.ian.sh/ Extended Validation is Broken] | ||
| + | * | ||
==Solutions== | ==Solutions== | ||
Revision as of 08:27, 25 November 2018
Contents
Full Title or Meme
Extended Validation Certificates for SSL Web Sites with added Assurance as to the real-world identity of the Enterprise hosting the site.
Context
In response to concerns that TLS (HTTPS) encrypted interchanges could not be Validated by regular users, the CA|B forum created an audited from of certificate to satisfy users concerns. It has not lived up to expectations.
Problems
Ian Carroll summarized some of the issues here which includes this comment EV "certificates include information about the legal entity behind the certificate, but not much else. What a legal entity can be turns out to be quite flexible; James Burton, for example, recently obtained an EV certificate for his company "Identity Verified". Unfortunately, users are simply not equipped to deal with the nuances of these entities, and this creates a significant vector for phishing."
Links to other problems with EV
- Extended Validation (EV) Certificates Abused to Create Insanely Believable Phishing Sites
- First part of Phising with EV
- Extended Validation is Broken
Solutions
There appears to be little reason to expect that the CA|B (Certificate Authority | Browser) forum will come up with a user-centric solution, so some other forum may be required.
