Perhaps, but Mozilla has stated their position on that, so it’s not germane to this thread and discussion.
You’re still making a logically flawed argument to say “Because (some) feeds of known phishing sources (with undefined definitions or resolution mechanisms) don’t contain an EV, EV is a defense against phishing”. That hasn’t changed. If I wanted to make logically flawed arguments, I could point out that many of these phishing sources are derived from users reporting them as such. If EV was a mitigation for phishing, phishers could be using EV certs like Ian’s or James’ (or potentially any EV cert, since we don’t know or have evidence that the organization matters to users) to phish users who don’t self report these sites, thus don’t end in the phishing feeds. Thus, EV enables undetectable phishing, therefor harms users. Is it plausible? Yes. Does it sound good? Hopefully. Is it a valid logical deduction? No - it’s speculation. What isn’t speculative is the complexity it brings. What is speculative is that the complexity is beneficial to users, not just a specially conditioned subset. Which we do know what that subset size was, and we don’t have evidence that it has grown. On Wed, Dec 13, 2017 at 7:25 PM Tim Hollebeek via dev-security-policy < [email protected]> wrote: > If you look at where the HTTPS phishing certificates come from, they come > almost > entirely from Let's Encrypt and Comodo. > > This is perhaps the best argument in favor of distinguishing between CAs > that care > about phishing and those that don't. > > -Tim > > > -----Original Message----- > > From: dev-security-policy [mailto:dev-security-policy- > > [email protected]] On Behalf Of Peter > > Gutmann via dev-security-policy > > Sent: Wednesday, December 13, 2017 4:23 PM > > To: Gervase Markham <[email protected]>; mozilla-dev-security- > > [email protected]; Tim Shirley <[email protected]> > > Subject: Re: On the value of EV > > > > Tim Shirley via dev-security-policy > <[email protected]> > > writes: > > > > >But regardless of which (or neither) is true, the very fact that EV > > >certs are rarely (never?) used on phishing sites > > > > There's no need: > > > > https://info.phishlabs.com/blog/quarter-phishing-attacks-hosted-https- > > domains > > > > In particular, "the rate at which phishing sites are hosted on HTTPS > pages > is > > rising significantly faster than overall HTTPS adoption". > > > > It's like SPF and site security seals, adoption by spammers and crooks > was > > ahead of adoption by legit users because the bad guys have more need of a > > signalling mechanism like that than anyone else. > > > > Peter. > > _______________________________________________ > > dev-security-policy mailing list > > [email protected] > > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
