I'm saying that even 'rarely' is presumptive - that is, that the lack of public evidence is equivalent to a lack of occurrence.
As to sharing examples, it presumes that the point of discussion is whether EV is an effective mitigator of phishing, which is a logically flawed viewpoint assuming correlation, if any, is equivalent to causation, or that the correlation is meaningfully significant for the discussion of security. If the concern is phishing, we know more effective mitigators exist - both in terms of technology and user experience - so the continued focus on certificates, particularly EV, whether as a primary or a 'boots and suspenders' approach to mitigation is misguided. If the concern is fraud, then we already have the existence proof to show the fundamental flaw in assuming a fraud mitigation. An exploit doesn't have to be used in the wild for it to be an exploit. Although that is itself its own topic of discussion - how vendors approach exploits. Regardless, it can be categorically stated that it does not prevent fraud On Wed, Dec 13, 2017 at 5:35 PM, Tim Shirley <[email protected]> wrote: > No, I’m not presuming that; that’s why I put the ? after never. I’ve > never heard of any, so it’s possible it really is never. But I’m pretty > confident in at least the “rare” part because I’m sure if you knew of any > you’d be sharing examples. ;) > > > > > > *From: *Ryan Sleevi <[email protected]> > *Reply-To: *"[email protected]" <[email protected]> > *Date: *Wednesday, December 13, 2017 at 5:03 PM > *To: *Tim Shirley <[email protected]> > *Cc: *Gervase Markham <[email protected]>, "mozilla-dev-security-policy@ > lists.mozilla.org" <[email protected]> > *Subject: *Re: On the value of EV > > > > "The very fact that EV certs are rarely (never?) used" is, of course, > unsubstantiated with data. It's a logically flawed argument - you're > presuming that non-existence is proof of non-existence. > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
