If you look at where the HTTPS phishing certificates come from, they come almost entirely from Let's Encrypt and Comodo.
This is perhaps the best argument in favor of distinguishing between CAs that care about phishing and those that don't. -Tim > -----Original Message----- > From: dev-security-policy [mailto:dev-security-policy- > [email protected]] On Behalf Of Peter > Gutmann via dev-security-policy > Sent: Wednesday, December 13, 2017 4:23 PM > To: Gervase Markham <[email protected]>; mozilla-dev-security- > [email protected]; Tim Shirley <[email protected]> > Subject: Re: On the value of EV > > Tim Shirley via dev-security-policy <[email protected]> > writes: > > >But regardless of which (or neither) is true, the very fact that EV > >certs are rarely (never?) used on phishing sites > > There's no need: > > https://info.phishlabs.com/blog/quarter-phishing-attacks-hosted-https- > domains > > In particular, "the rate at which phishing sites are hosted on HTTPS pages is > rising significantly faster than overall HTTPS adoption". > > It's like SPF and site security seals, adoption by spammers and crooks was > ahead of adoption by legit users because the bad guys have more need of a > signalling mechanism like that than anyone else. > > Peter. > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
