How Extended Validation SSL Certificates Can Be Used to Scam End Users

Dan Goodin, Ars Technica:

For a decade, some security professionals have held out extended validation certificates as an innovation in website authentication because they require the person applying for the credential to undergo legal vetting. That’s a step up from less stringent domain validation that requires applicants to merely demonstrate control over the site’s Internet name. Now, a researcher has shown how EV certificates can be used to trick people into trusting scam sites, particularly when targets are using Apple’s Safari browser.

Researcher Ian Carroll filed the necessary paperwork to incorporate a business called Stripe Inc. He then used the legal entity to apply for an EV certificate to authenticate the Web page When viewed in the address bar, the page looks eerily similar to, the online payments service that also authenticates itself using an EV certificate issued to Stripe Inc.

Ian Carroll:

Let’s look at the user interfaces of browsers. On Safari, the URL is completely hidden! This means the attacker does not even need to register a convincing phishing domain. They can register anything, and Safari will happily cover it with a nice green bar. The below screenshot is from this site. Hard to tell, right?

With Chrome, the story is slightly better, but only if you bother to look at the full URL. Chrome has no native way to view anything other than the company name and country of the certificate. Newer versions of Chrome will open the system certificate viewer with two mouse clicks (older versions completely removed viewing the certificate), but the system certificate viewer is useless for any normal user.

By default, Safari will only show the company name in the address bar when a website is loaded with an extended validation certificate; users can reveal the company name beside the URL by opening Safari preferences and checking the “Show full website address” box under the Advanced tab.