On Wed, Oct 29, 2014 at 10:02 PM, Dean Coclin <[email protected]> wrote: > But many people do in fact look at the security indicators. If that > statement were true, why do fraudsters bother to get SSL certs (mostly DV) > for their phishing websites?
Given that "Organization" is not a globally unique identifier, it seems they could with some more effort also spoof that field. (Which is why EV seems to actually make things more difficult for users as they have to carefully check the domain, the Organization field, and ensure that neither has changed, each time they visit.) -- https://annevankesteren.nl/ _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
