Extended validation is broken

Feb 13th 2018

certificates phishing security ssl vulnerability

In a new article on his blog Ian Carroll shows that it's quite easy to trick users into thinking that they're connected to the right site.

Extended validation ("EV") certificates are a unique type of certificate issued by certificate authorities after more extensive validation of the entity requesting the certificate. In exchange for this more rigorous vetting, browsers show a special indicator like a green bar containing the company name, or in the case of Safari completely replace the URL with the company name. ... Today, I will demonstrate another issue with EV certificates: colliding entity names. Specifically, this site uses an EV certificate for "Stripe, Inc", that was legitimately issued by Comodo.

https://stripe.ian.sh/

← Setting up Laravel Horizon with Forge and Envoyer

Regaining trust in your test suite with Docker →

Share Post LinkedIn | Follow @freekmurze

Join 9,500+ smart developers

Get my monthly newsletter with what I learn from running Spatie, building Oh Dear, and maintaining 300+ open source packages. Practical takes on Laravel, PHP, and AI that you can actually use.

No spam. Unsubscribe anytime. You can also follow me on X.

Found something interesting to share? Submit a link to the community section.

I'm a Laravel developer at Spatie and Oh Dear. I maintain 300+ open source packages for the Laravel community.

Follow on X

Oh Dear monitors your entire website, so you don't have to. Uptime, SSL certificates, broken links, scheduled tasks, DNS, and more — all in one place.

Get instant notifications when something breaks, paired with a developer friendly API and thorough documentation.

Create a public status page in under a minute. Start your free trial.