As I understand it, Adam’s argument there was that to get value out of a revoked certificate, you need to be between the user and the web server so you can direct the traffic to your web server, so you’re already in position to also block revocation checks. I don’t think that maps here because a lot of the scenarios EV assists with don’t involve an attacker being in that position.
I know the question has been raised before as to why most phishing sites use DV. Some argue it’s because OV/EV are harder for people with bad intent to obtain. Some argue it’s because DV is more ubiquitous across the web and thus more ubiquitous on phishing sites. But regardless of which (or neither) is true, the very fact that EV certs are rarely (never?) used on phishing sites is in and of itself providing protection today to those of us who pay attention to it. I’d argue that alone means the seat belt isn’t worthless, and we should focus on building better seat belts rather than cutting them out and relying on the air bag alone. On 12/13/17, 3:46 PM, "Gervase Markham via dev-security-policy" <[email protected]> wrote: On 13/12/17 11:58, Tim Shirley wrote: > So many of the arguments made here, such as this one, as well as the recent demonstrations that helped start this thread, focus on edge cases. And while those are certainly valuable to consider, they obscure the fact that “Green Bar” adds value in the mainstream use cases. If we were talking about how to improve EV, then by all means focus on the edge cases. The thing I don’t see in all this is a compelling argument to take away something that’s useful most of the time. My concern with this argument is that it's susceptible to the criticism that Adam Langley made of revocation checking: https://scanmail.trustwave.com/?c=4062&d=kJGx2vx-xMRho_TXqyD3e8mI4fM_V-yKUKn2tKZHNQ&s=5&u=https%3a%2f%2fwww%2eimperialviolet%2eorg%2f2012%2f02%2f05%2fcrlsets%2ehtml "So [EV identity is] like a seat-belt that snaps when you crash. Even though it works 99% of the time, it's worthless because it only works when you don't need it." Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://scanmail.trustwave.com/?c=4062&d=kJGx2vx-xMRho_TXqyD3e8mI4fM_V-yKUK2gu_0caA&s=5&u=https%3a%2f%2flists%2emozilla%2eorg%2flistinfo%2fdev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
