On 15/12/2017 02:30, Ryan Sleevi wrote:
On Thu, Dec 14, 2017 at 5:01 PM Jakob Bohm via dev-security-policy <
[email protected]> wrote:
On 14/12/2017 00:23, Peter Gutmann wrote:
Tim Shirley via dev-security-policy <
[email protected]> writes:
But regardless of which (or neither) is true, the very fact that EV
certs are
rarely (never?) used on phishing sites
There's no need:
https://info.phishlabs.com/blog/quarter-phishing-attacks-hosted-https-domains
In particular, "the rate at which phishing sites are hosted on HTTPS
pages is
rising significantly faster than overall HTTPS adoption".
But how many of those are on *EV-certified https URLs* is the question
raised here.
No, it isn’t.
In particular, some participants insist there are many of those, but
have yet to post even a single concrete example, let alone statistics of
how many such examples exist.
Could you point to such an example where a participant insisted that? Or is
that merely a straw man argument used to advance a logically flawed
position?
Some participants have pointed out correlation is not causation - that you
can’t infer that never being attacked by a tiger while you’re holding a
particular rock means that the rock repels tigers, anymore than EV UI
prevents phishing.
YOU in particularly have kept insisting that it is a "myth" that
phishing sites don't use EV certificates, yet keep pointing to articles
about non-EV failures.
Now you rephrase it as "the EV UI versus phishing", dodging the
question.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
