Peter, Do you have any empirical data to backup the claims that there is no benefit from EV certificates? From the reports I've seen, the percentage of phishing and malware sites that use EV is drastically lower than DV (which are used to protect the cesspool of websites).
Doug -----Original Message----- From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On Behalf Of Peter Gutmann via dev-security-policy Sent: Wednesday, August 14, 2019 9:04 PM To: mozilla-dev-security-pol...@lists.mozilla.org; Jakob Bohm <jb-mozi...@wisemo.com> Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar Jakob Bohm via dev-security-policy <email@example.com> writes: >Problem example: >[...] You're explaining how it's supposed to work in theory, not in the real world. We have a decade of real-world data showing that it doesn't work, that there's no benefit from EV certificates apart from the one to CA's balance sheets. So the browser vendors are doing the logical thing, responding to the real-world data and no longer pretending that EV certs add any security value, both in terms of protecting users and of keeping out the bad guys - see the attached screen clip, in this case for EV code-signing certs for malware, but you can buy web site EV certs just as readily. Peter. _______________________________________________ dev-security-policy mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-security-policy
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list email@example.com https://lists.mozilla.org/listinfo/dev-security-policy