I’ve always felt that we need a tool to be able to answer such a question.
My bank also uses a different hyphenated domain name on emails… another use case could be to check for legit social media profiles cause fakes are popular too and may not be discernible for regular grass touching not-so-online in 2025 individual.
Maybe we could introduce the concept of subdomains. Paypal could, for example, have a corp.paypal.com address that points to their corporate blog. I know, a bit out there, but maybe DNS2 will ship with this feature.
With subdomains, you might leak cookies accidentally or maliciously to the root domain. They are not as separated as real domains are.
Then don't put anything on the root domain and use www.paypal.com for the main operations. corp.paypal.com's cookies are separated from www.paypal.com's.
But paypal.com's cookies are shared with corp.paypal.com and, depending on headers and fields, possibly vice versa.
My browser lists 8 .paypal.com cookies and 2 www.paypal.com cookies when I visit www.paypal.com. Those cookies are shared with https://fastlane.paypal.com/ (some random subdomain I found online).
They can separate those cookies out, of course, but they don't need to if they use separate domains and the cheapest work is work that doesn't need doing.
They also seem to own paypal.ai which mcp.paypal.com redirects to the docs of it could also just be a branding thing.
www.paypal.com can create cookie for paypal.com and that cookie will be sent for corp.paypal.com requests. And vice-versa, of course.
EV Certs used to do exactly that for me, that is until browser stopped make the visuals of it special. Don't think it would be even viable today given the short expiry (which is a good thing) of TLS certs necessary for browser
https://en.wikipedia.org/wiki/Extended_Validation_Certificat...
You can still do all the checks you need, they're right there in the connection properties. This website is OV-certified (not EV) to PayPal, Inc. in San Jose by DigiCert Inc.
You do need to know what US state PayPal is registered in for them to work, of course, as proven by https://arstechnica.com/information-technology/2017/12/nope-... during the time EV certificates were still considered special.
I don't see why EV wouldn't be viable. ACME can work with any certificate. A certificate authority can just sign new certificates every week at the request of an authenticated ACME client. The biggest issue with this workflow is the CA's billing flow optimised for the "pay once, hand over a file once" workflow.
I talked about introducing a notability criteria in the US, and other jurisdictions where duplicate registrations are possible. The Chrome people weren't interested.
Shouldn't be an issue to deliver two certificates an short lived one for TLS, an long lived one for the identity
WHOIS used to be semi useful, though most records tend to be redacted for the average user now.
`dig` on DNS also, if it resolves to the same IP as paypal for example, that adds confidence. Though again, nowadays less useful due to a lot of things being behind Cloudflare.