I just got a very phishy looking email from Vodafone. It had encoding errors and nothing more than my name in it. It asked me to confirm my email address and in order to do that I had to enter some contract details after clicking a link. It turned out to be genuine and was indeed about a product I recently ordered from them.
Because it looked so phishy I had double checked that the domain was actually
vodafone.de and that the certificate was issued by a trusted issuer. But it got me wondering – does that actually protect me from attacks like homograph attacks or overlong encoding attacks? Are certificate issuers bound to some standard about checking the domain name that they are signing?