On Fri, Dec 15, 2017 at 08:34:37AM +0100, Jakob Bohm via dev-security-policy wrote: > YOU in particularly have kept insisting that it is a "myth" that > phishing sites don't use EV certificates, yet keep pointing to articles > about non-EV failures.
As the Wikipedians say, "Citation Needed". I don't recall Ryan ever saying anything like that. I think he has said that EV certificates don't prevent phishing, which is not the same as "phishing sites use EV certs". As far as phishers are concerned, EV certs are just like DV certs. They don't use them until they perceive a benefit, at which point they jump in with both feet. If anything, the fact that phishers don't use EV certs is evidence that EV certs don't impart any indication of trustworthiness to users -- as (IIRC) Peter Gutmann said earlier, phishers have *more* need for a patina of trust that legitimate sites, so they'll grab onto anything that works for that purpose. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
