New research released last Wednesday established that Extended Validation (“EV”) SSL certificates may not protect from online fraud and are increasingly being abused to create convincing phishing sites.
Phish Labs said in their report last week that one out of four phishing sites now use HTTPS. In addition to this, researcher Ian Carroll proved that it is fairly easy to obtain an EV SSL certificate using the name of an existing legitimate business when he incorporated a business called “Stripe, Inc.” in Kentucky. While the real company is incorporated in Delaware, browsers would display the identical company name which can be misleading to the average user who would rarely look to verify EV details.
Carroll says it is even worse for Safari users who only get to see the company name on their browsers.
Source: Bleeping Computer