Extended Validation Is Broken

https://stripe.ian.sh/ is an interesting site by Ian Carroll. See it? Take a closer look at the certificate.

Yes, that’s one for “Stripe, Inc” … but, that’s not “Stripe, Inc” is it?

This site uses an EV certificate for “Stripe, Inc”, that was legitimately issued by Comodo. However, when you hear “Stripe, Inc”, you are probably thinking of the payment processor incorporated in Delaware. Here, though, you are talking to the “Stripe, Inc” incorporated in Kentucky. This problem can also appear when dealing with different countries.

Yes, what Ian did was register a company with the same name in another state. And it’s easy-peasy to do so:

From incorporation to issuance of the EV certificate, I spent less than an hour of my time and about $177. $100 of this was to incorporate the company, and $77 was for the certificate. It took about 48 hours from incorporation to the issuance of the certificate.

When it comes to homograph attacks browsers use punycode in the address bar, yet I’m very curious if and how this can be fixed.

Let this be a reminder to always be cautious. Type in addresses manually when in doubt. When still in doubt after that, don’t proceed.

Extended Validation Is Broken →

Published by Bramus!

Bramus is a frontend web developer from Belgium, working as a Chrome Developer Relations Engineer at Google. From the moment he discovered view-source at the age of 14 (way back in 1997), he fell in love with the web and has been tinkering with it ever since (more …)

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.