Extended Validation is Broken

Extended Validation is a tool that can be used by site owners in order to prove the identity of their site beyond a standard HTTPS certificate.  While an HTTPS certificate proves that the server you are communicating with is the site identified by the domain name, it can be easy to spoof domain names for some sites (like facebok.com).  If a site is verified, a person may be likely to trust it without verifying the domain name.

In order to receive an Extended Validation certificate, one must prove to a Certificate Authority that they “are” that name, rather than just owning the domain name.  Most commonly, this is done by proving that you own a company by that name – which is a fairly secure system.  However, in this report, Ian Carroll exploits a vulnerability not in the technical system, but in the United States.

In America, the same company name can be registered in different states (since, for all practical purposes, we are 50 separate countries that are just really friendly).  Carroll takes advantage of this fact by registering the company name “Stripe, Inc.” in Kentucky (Stripe is a popular payment platform, registered in Delaware).  He uses the site registered with this certificate not for malicious purposes but in order to spread awareness of the vulnerability, hosting his whitepaper on the vulnerability there.

This issue raises many questions on how we should be verifying identity, as well as how browsers should deliver verification information to the client.  The entire vulnerability is completely technically sound in that the entire process does what it should (the company named “Stripe, Inc.” has been verified to serve this content).  There is, unfortunately no simple way to solve this problem.  Should the certificate authority only issue these certificates for companies that are “big” or, even more ambiguously, “well-known”, and deny verification to startups?  Should the browser also display the state name of registration along with the certificate (assuming that the common citizen knows the state name of every website he or she visits)?  These are not difficult answers, but their answers are fundamental to the future of identification in an increasingly automated world.


– Ryan Volz