> That's certainly a problem, but most people are using trustworthy ISPs (at least in this sense). Comcast seems unlikely to try to steal your bank password, and Verizon is unlikely to try to harvest your HN cookies.
But if you are tricked to go to bankofamericaa.com instead of bankofamerica.com, a crook can be the proxy between you and your bank and you are none the wiser.
The difference is this bug will grant you the lock icon, and your browser will "guarantee" you're speaking to the real bankofamerica.
Practically speaking, that probably doesn't matter, because someone who understands that won't click on an email and log in to bankofamericaa.com. But there is a difference.
It is very easy to get a lock icon on bankofamericaa.com and to get your browser to insist you are speaking to the real bankofamericaa. What makes this bug interesting is you can get a lock icon for a fake website on bankofamerica.com using a MITM attack: making convincing "secure" websites on alternative URLs has always been possible.
Why does this matter? The browser isn't even at bankofamerica.com, it is at bankofamericaa.com: it "adds insult to injury", but it doesn't affect the attack. No browser would notice, even with the fanciest watchdog services and certificate pinning, that the certificate of an unrelated website is "authentic" or not. The only way you are going to notice the name being wrong is if the user opens the certificate details dialog and reads the content; do you seriously think someone is going to do this and not look at the URL ;P? What this bug makes possible are not the age-old "wrong URL" attack, but an active MITM on the real URL.
Well yeah, but the point is there's nothing stopping the attackers from putting a valid certificate on bankofamericaa.com to make that green bar appear.
But if you are tricked to go to bankofamericaa.com instead of bankofamerica.com, a crook can be the proxy between you and your bank and you are none the wiser.