Who requires these certs? I've always gotten the impression they are useful for 1) checking a box on some form; and 2) making more money for CAs.
And, if its my job to check that box or to make money for a CA, well, that's fine. But, it terms of them actually having a real use, I'd love for someone to tell me what that real use actually is.
Everyone who operates a website with users that can be the phishing targets. Plain certs (DV) only tell you that you are talking to a server that that has been validated to belong to a domain (and the taking is done encrypted).
Extended validation and organization validation (EV and OV) certificates do not solve any technical cause of phishing. They're also poor instruments for attacking the social efficacy of phishing attacks. The phishing demo you linked in that Twitter page is not mitigated by EV or OV certificates.
These "extra" certificates are sold at a premium 1) so CAs can earn more, despite the race to the bottom; and 2) so potential victim companies of data breaches can point to all the "extra" effort (read: money) they invested in security. But they fundamentally do not improve security, because they're predicated on the idea that non-technical end users will use increasingly more sophisticated methods of identity assurance. The software security industry has decades of case studies which demonstrate this is not the case.
Simply put: you can't solve phishing by stuffing more and more authentication signals into a URL bar and a padlock icon. Approximately all users won't even bother to check and most will simply click through warnings. Trying to design better, more "verified" certificates is a clear example of a local maximum. It seizes upon a weak proxy for security against phishing, then tries to optimize further with the bureaucratic scar tissue of identity verification. In so doing it completely loses focus on the core issue.
That assumes that a significant number of people a) know that Google has a EV certificate and b) actually check it. To the first point, I'm not sure that Google actually does have an EV cert - looking at Google.com, I think they just have a DV cert. And to the second point, I suspect that few people actually check if the cert is EV or DV (If they check that the connection is encrypted at all).
Having an EV cert for yourwebsite.com does nothing to prevent fishing if people are directed to someotherwebsite.com.someotherwebsite.com. So, whats the point if going through the extra pain / expense of getting one?
There's not a lot of point to EV. Google and eBay don't even EV their primary domains; given what high-profile targets those are for phishing, the fact that they're not EV should tell you something about its utility as an anti-phishing measure.
As per [1], twitter does use EV certs, but not everywhere. It depends on the geographical location. The author of this article (Troy Hunt) never noticed this inconsistency, whilst he works in security.
Given that he never noticed it, and the fact that I've never heard of anyone else noticing it. I'd say that even when high-profile targets deploy EV, it still does nothing.
A possible exception might be banks. I've heard (I think in the HN comment thread of [1]) of people actually calling up banks asking why the name isn't in the green part of the browser. I know I check that address most often. I guess people are just most security aware when it comes to mixing the internet and money.
I recommend this presentation to help dispel a lot of misconceptions about phishing and how easy it is for even highly technically and security literate people to get phished:
If you think EV has magical phishing-prevention sauce, you probably want to do more research on the topic. Especially since browsers are starting to tone down or even remove special visual signifiers for EV certs (since, if EV had incredible anti-phishing power, they wouldn't be doing that).
And, if its my job to check that box or to make money for a CA, well, that's fine. But, it terms of them actually having a real use, I'd love for someone to tell me what that real use actually is.