Extended Validation certificates and cross-site scripting

The assurances that they claim, even assuming that they are met, aren't meaningful. The only
meaningful question is whether the site really is the site the user thinks it is, and that's
something that a CA can't determine, because the CA doesn't know what site the user thinks
something is. For example, there have been multiple organizations called, informally, "Chart
Bank" doing business in Massachusetts in the last five years, entirely legally. If I'm a
customer of one of them, and end up at the web site for a different one of them, I'm likely to
reveal personal information and passwords to a third party with whom I have no business
relationship and whose policies on data collected from failed login attempts I don't know.

The only way to get a meaningful increase in security over regular SSL certificates is to
ignore the CA entirely, and reserve the green location bar plus a user-selected description
for certificates that the user has independently verified with the organization (for example,
by comparing the certificate fingerprint with a fingerprint printed on their bank statements).
Then, if the user goes to any site that doesn't have that certificate (or, more reasonably,
doesn't have a certificate signed by the bank's signing certificate), it might get the lock
and a yellow bar, but it won't get "My Bank" and a green bar, even if it's some legitimate
site that could be the user's bank but happens not to be.