Extended Validation certificates have always been useless

I'm responding to this:

Furthermore, as I've said many times before, for EV to work people have to change their behaviour when they don't see it! If someone stands up a PayPal phishing site, for example, EV is relying on people to say "ah, I was going to enter my PayPal credentials but I don't see EV therefore I won't". That's how EV "stops phishing" (according to those selling the certs), yet here we are with a site that used to have EV and if it ever worked then it was only by people knowing that PayPal should have it. So what does it signal now that it's no longer there? Clearly, that people aren't turning away due to its absence.

I'd like to put the myth that EV counts for anything whatsoever to bed.

EV is useless even if people check for the green bar before entering their credentials. It is completely useless, because it doesn't protect from the following trivial attack:

  • A man-in-the-middle notices someone connecting to https://paypal.com/. But they don't intecept the connection yet, when they're only loading the login form.

  • Because the connection wasn't intercepted, the user sees the green bar, verifies it, and enters their credentials. They submit the form.

  • Only now does the attacker intercept the connection, performing a man in the middle attack to wiretap the HTTP request, using an ordinary Domain Validation (DV) certificate for paypal.com they have somehow illicitly obtained.

    (An attacker will trivially be able to distinguish between requests for the login form, and the actual submission of it, via traffic analysis of the encrypted TLS session. Even if they don't guess right 100% of the time, they'll be able to guess right enough of the time for this attack to be profitable. This is, of course, in the parallel universe where people actually care about the green bar.)

  • Although from the browser's perspective https://paypal.com/ has changed from using an EV certificate to using a DV certificate between loading the login form and submitting it, the browser does not care one iota about this. By the time your login details have been submitted and the subsequent page has loaded, and you have the opportunity to notice that the subsequent page has no green bar, your password is already leaked.

This isn't just for login forms, either. If you're already logged into a website and have a valuable cookie, just visiting the website results in compromise; by the time you've seen that the front page of the website has no green bar, it's too late, your cookie has already been sent.

The summary here is:

  • The web is designed around stateless HTTP requests and there is no ability for a user to assume that a subsequent HTTP request will be made under similar conditions to a current one.

  • Browsers are designed to make trust decisions reflexively. By the time a web page has loaded the trust decision has already been made. Any model based on users deciding whether to trust a website after a page has loaded is fundamentally broken.

  • CAs sell EV certificates because they're a way to upsell people into paying more for a certificate.

    (As far as I recall EV certificates, and the “green bar” were actually a carrot offered by browser vendors to make them more willing to agree to changes to the CA ecosystem which they worried might affect their bottom line. I can't remember what those changes were exactly or how this played out, but I distinctly recall reading a blog post about it — perhaps someone can point me to it.)