https://stripe.ian.sh/ is an interesting site by Ian Carroll. See it? Take a closer look at the certificate.
Yes, that’s one for “Stripe, Inc” … but, that’s not “Stripe, Inc” is it?
This site uses an EV certificate for “Stripe, Inc”, that was legitimately issued by Comodo. However, when you hear “Stripe, Inc”, you are probably thinking of the payment processor incorporated in Delaware. Here, though, you are talking to the “Stripe, Inc” incorporated in Kentucky. This problem can also appear when dealing with different countries.
Yes, what Ian did was register a company with the same name in another state. And it’s easy-peasy to do so:
From incorporation to issuance of the EV certificate, I spent less than an hour of my time and about $177. $100 of this was to incorporate the company, and $77 was for the certificate. It took about 48 hours from incorporation to the issuance of the certificate.
When it comes to homograph attacks browsers use punycode in the address bar, yet I’m very curious if and how this can be fixed.
Let this be a reminder to always be cautious. Type in addresses manually when in doubt. When still in doubt after that, don’t proceed.