Peter, Do you have any empirical data to backup the claims that there is no benefit from EV certificates? From the reports I've seen, the percentage of phishing and malware sites that use EV is drastically lower than DV (which are used to protect the cesspool of websites).
Doug -----Original Message----- From: dev-security-policy <[email protected]> On Behalf Of Peter Gutmann via dev-security-policy Sent: Wednesday, August 14, 2019 9:04 PM To: [email protected]; Jakob Bohm <[email protected]> Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar Jakob Bohm via dev-security-policy <[email protected]> writes: >Problem example: >[...] You're explaining how it's supposed to work in theory, not in the real world. We have a decade of real-world data showing that it doesn't work, that there's no benefit from EV certificates apart from the one to CA's balance sheets. So the browser vendors are doing the logical thing, responding to the real-world data and no longer pretending that EV certs add any security value, both in terms of protecting users and of keeping out the bad guys - see the attached screen clip, in this case for EV code-signing certs for malware, but you can buy web site EV certs just as readily. Peter. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
