A user visiting the website of a fake shop could check the certificate and if they don't know what Cloudflare is, they could believe that the shop is operated by an existing company registered in the US and therefore trust the (fake) shop.
A user on a phishing site targeting Cloudflare could check the certificate, see Cloudflare in the subject and believe it to be an official Cloudflare website.
A user using a website that is using Cloudflare proxy could check the certificate and remember that it has Cloudflare in the subject. Then when he will be on a phishing website, he will check the certificate subject, see the same value and believe it to be oferated by the same entity and enter his credentials.
... or various recommendations explaining how to check certificate details to asses whether a website is trustworthy should be changed.
This discussion is a prime example why OV / EV TLS certificates should be phased out. They are promising more to the end user than they can deliver and the community wasn’t able to make them truly work in 25 years…
/Rufus
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
dev-security-po...@mozilla.org.
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CADYDTCCXUm_P0x%2BnUHAcVEh_gHS8JXvoeh3Skd3nRH9kv5gZkA%40mail.gmail.com.
OV and EV certificates contain the name of the organization besides the domain name.
The commonName is just a DNS Name. One of the names in SAN. It's deprecated, but CAs still add it there probably for compatibility reasons. I agree that it might confuse users and should probably be entirely removed.