In this era of online ubiquity there should be another layer of opt-in validation, ring of trust, p2p feedback and rating, that can all be plugged into the consumer web experience.
If we have centralised "licensing" solution it is abused by large capital to wash off smaller - there is plenty of examples.
If we have decentralised solution (which is basically what review is) - it is immediately abused by "marketers".
There is no simple and easy solution to the problem.
When you register a business you also provide your official domains and so the validity of the website is checked against the validity of the business.
First with domain names. The domain "nissan.com" is not owned by the well-known car company but by a completely unrelated computer company. As "Nissan Motors v. Nissan Computer" settled, this is totally fine and Nissan Computer still owns the domain.
Besides exact matches there are also similar-looking names. For example, a student named Mike Rowe started a small webdesign company called MikeRoweSoft, which drew the attention of Microsoft, leading to "Microsoft v. MikeRoweSoft" - which was settled out of court and resulted in the domain being transferred to Microsoft.
Second are Extended Validation domains - which used to show the company name in the URL bar. As Ian Carroll demonstrated[0] this isn't really worth a lot, and browsers no longer bother showing it at all[1].
Company names also often overlap when they are active in different areas, such as Apple Corp (record label founded by The Beatles) and Apple Inc. (tech multinational) - which over the years have shifted towards a rather impressive market overlap! Some companies are split with both sides keeping the original name, such as Motorola Inc.'s split into Motorola Solutions and Motorola Mobility. Sometimes products are sold under a completely different brand name, such as HMD selling Nokia-branded smartphones, or TP Vision selling Philips-branded televisions while MMD sells Philips-branded gaming monitors!
The thing is, reality is just too complicated for a "very simple" register. How are you supposed to fit in all of the scenarios listed above while still keeping it usable?
[0]: https://arstechnica.com/information-technology/2017/12/nope-... [1]: https://www.troyhunt.com/extended-validation-certificates-ar...
I think this can just add layers of bureaucracy that don't address the problem anyway.
In the early days of widespread internet use in Sweden it was quite difficult to register a .se web-address: not only were company documents needed, but the authority that granted use of the address also split your right to it geographically within Sweden, so that if you wanted the address to stretch across the whole country you needed to make multiple applications (using a subdomain system).
This process just made it almost impossible for a small personal startup to own a Swedish domain, and it was completely impossible to register a domain on a 'try-it' basis, to see if a nascent business idea would take-off.
In other words it just entrenched the dominant position of incumbents.
What happened instead, was that Swedes registered .com addresses, or .nu ('now' in Swedish), or other variations. And the same sort of thing would happen now: the international fraudulent sites would still be possible - just legitimate registrations would become much harder.
A little like what happens with pirating, where people using pirated software often have to jump through fewer hoops than legitimate users, who've paid for their installs, but need to constantly dial-up to be allowed to keep using the tools they've bought.
tldr; more bureaucracy for legitimate businesses, but doesn't address the core problem for end-users.
For any site with an commercial intent (which is pretty loosely defined) it is mandatory to have an Imprint with the person representing the company, the address of the HQ as well as the companies registration number and court location. It makes it somewhat more transparent what company is behind the site and gives you information you can lookup in public registries.
I hate it from a privacy perspective but it’s okay for for consumer protection.
We could use government-issued tokens, maybe on a government-run blockchain.
And we could use the same for our personal (corporate) selves, such that all of our economic interactions were moderated through a government-run identity blockchain.
I want the mark on my forehead please, not the wrist, so I can pay by bowing my head to the money-god instead of just laying my wrist on the sensor.
What could possibly go wrong?
These sites are literally made to steal my grandma's money when she's buying presents for Christmas and what not.
It's inspiring to see you follow up like this and help out a wonderful mountain shop. A great reminder and inspiration to be more involved in my community.
1. Knowing that the company using the certificate is who they say they are, doesn't necessarily mean you can trust them not to be fraudulent traders.
2. Control of the domain names and associated certificates can change hands after the fact, officially through buyouts/merges or via more nefarious means, just like any other certificate.
and of course the other key question to address which is:
3. How do you trust those validating the certificate. The average user is not going to know/care that a rogue CA exists and it might take some time for their actions to be noticed and for appropriate revocations to happen.
However they were intended to be used, HTTPS and certificates for it are used to protect data in transit and not really for identity assurance.
----
There is also the more cynical view that the main thing EV certs addressed was the desire for CAs to bring in some revenue, especially as standard certs became more and more a commodity item (now effectively free) with low or zero margins.
Fairly sure you could do a HTML search with Google, 7 stores having extremely similar HTML and images seems rather unlikely.
Effectively, it's virus total but for copycat sites.
If I go to urlscan.io and look at the recently scanned sites (which are live-updated), every now and then I can find links with potentially sensitive information.
I found OneDrive and SharePoint links. I was unable to actually access the documents in them (it asked me to login), but I could see their content (or metadata) with UrlScan's "live screenshot" feature.
At one point, it scanned a "reset password" link with the authentication token in the query string (!). I was able to access that link and I would likely be able to reset the password for that specific user. I won't share the underlying website so others don't go ahead looking for it, but it was for a non-US government service.
The impression I have is that some email provider (or perhaps some antivirus software?) is automatically scanning user emails and the links are being shared publicly, alongside a "live screenshot".
I might be missing something, but this is weird.
