Found this today which suggested EV certs are broken and they explain
why.

Certainly something to watch out for if you are a company with the same
name as others elsewhere in the world.

https://stripe.ian.sh

--
Richard

I guess I missed this post.

The EV SSL certificates are a different thing than the EV code signing
certificates.

That's not to say that all of this stuff is entirely adequate, but
there is that distinction.

Jeff Slarve
www.jssoftware.com


Bits and Bytes are Dy-No-Myte

Well the technique could certainly be applied to code signed apps
instead of websites and would it have the same level of scrutiny when
most of the infosec world appears to be focused on website identities?

In Windows 7, control panel, add remove programs, you can only see a
publisher name, so something could be hiding in plain sight so to
speak.

I've also noticed MS smart screen and AV software doesnt always flag up
malicious software even when its code signed.

A year or so ago I tried getting a domain and had it registered to my
old company but at an address of an office block that rents office
space nearby, that was flagged up straight away, so I do wonder just
how much surveillance there is on us now a days.

--
Richard

Well even Troy Hunt has come out and said EV certs are dead because of
the upcoming changes to the Browsers.

Same problem in browsers as in windows now, ie its hard to get more
detailed info about an EV code signed app or website.

https://www.troyhunt.com/extended-validation-certificates-are-really-really-dead/

--
Richard