If you think EV certs are over-priced, then there's a big market opportunity waiting for you: just make a CA that sells them cheaper!
In practice, you probably won't do that, because if you look into the various costs EV CAs have, you'll find that the cost of what they're doing is actually non-trivial and it's not exactly a license to print money. Add up the costs of the company, the audits, the hardware to protect the keys, the humans to perform the manual verifications of the cert requests, the OCSP servers, the software dev costs etc ... it's not zero.
With respect to phishing, yes, you could get "Bang of America" (possibly), but this comes with two MASSIVE caveats:
• You cannot do so anonymously, or at least it's very difficult to do so.
• You cannot get something like "Bank of America System Network" because the CAs have procedures in place to stop that sort of thing ... like human review.
In practice, phishing sites based on similar looking letters were a thing decades ago but haven't been so for a long time, partly because there's only a tiny number of such combinations and the legit companies normally own them all. My experience of phishing sites from a few years ago was that they either used misleading DNS names like "www.bankofamerica.com.net.cdn.co.cn" which exploit the fact that people stop reading at ".com", or just didn't care at all and used phishing sites hosted on hacked web servers, which exploit the fact that a lot of people don't ever look at the URL bar at all.
EV is a key step towards fixing both problems, by giving people sensible human meaningful identifiers that are read left to right instead of right to left, and by providing a friendly name that could (in a smart browser) replace the junk in the URL bar entirely. If most sites used EV certs there's a chance users would actually start reading the URL bar again, and then they'd know where they are online.
I agree that companies whose primary web identities don't match their legal identities are an issue for EV certs, although arguably that problem will confuse users sooner or later anyway (e.g. if they need to send/receive money from that company). Better to have the names synced.
In practice, you probably won't do that, because if you look into the various costs EV CAs have, you'll find that the cost of what they're doing is actually non-trivial and it's not exactly a license to print money. Add up the costs of the company, the audits, the hardware to protect the keys, the humans to perform the manual verifications of the cert requests, the OCSP servers, the software dev costs etc ... it's not zero.
With respect to phishing, yes, you could get "Bang of America" (possibly), but this comes with two MASSIVE caveats:
• You cannot do so anonymously, or at least it's very difficult to do so.
• You cannot get something like "Bank of America System Network" because the CAs have procedures in place to stop that sort of thing ... like human review.
In practice, phishing sites based on similar looking letters were a thing decades ago but haven't been so for a long time, partly because there's only a tiny number of such combinations and the legit companies normally own them all. My experience of phishing sites from a few years ago was that they either used misleading DNS names like "www.bankofamerica.com.net.cdn.co.cn" which exploit the fact that people stop reading at ".com", or just didn't care at all and used phishing sites hosted on hacked web servers, which exploit the fact that a lot of people don't ever look at the URL bar at all.
EV is a key step towards fixing both problems, by giving people sensible human meaningful identifiers that are read left to right instead of right to left, and by providing a friendly name that could (in a smart browser) replace the junk in the URL bar entirely. If most sites used EV certs there's a chance users would actually start reading the URL bar again, and then they'd know where they are online.
I agree that companies whose primary web identities don't match their legal identities are an issue for EV certs, although arguably that problem will confuse users sooner or later anyway (e.g. if they need to send/receive money from that company). Better to have the names synced.