Do you have any empirical data to backup the claims that there is no benefit
from EV certificates?  From the reports I've seen, the percentage of
phishing and malware sites that use EV is drastically lower than DV (which
are used to protect the cesspool of websites).


-----Original Message-----
From: dev-security-policy <> On
Behalf Of Peter Gutmann via dev-security-policy
Sent: Wednesday, August 14, 2019 9:04 PM
To:; Jakob Bohm
Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out
of the URL bar

Jakob Bohm via dev-security-policy <>

>Problem example:

You're explaining how it's supposed to work in theory, not in the real

We have a decade of real-world data showing that it doesn't work, that
there's no benefit from EV certificates apart from the one to CA's balance
sheets.  So the browser vendors are doing the logical thing, responding to
the real-world data and no longer pretending that EV certs add any security
value, both in terms of protecting users and of keeping out the bad guys -
see the attached screen clip, in this case for EV code-signing certs for
malware, but you can buy web site EV certs just as readily.

dev-security-policy mailing list

Attachment: smime.p7s
Description: S/MIME cryptographic signature

dev-security-policy mailing list

Reply via email to