So far I see is a number of contrived test cases picking apart small components 
of EV, and no real data to back it up.  Mostly academic or irrelevant research, 
imho.  Here are a couple of links posted in this thread: This post is intended for a 
technical audience interested in how an EV SSL certificate can be used as an 
effective phishing device <but no evidence this is a real world security 
concern> EV certificates with colliding entity names can be 
generated, but to date, I don’t know of any real attacks, just this academic 
exercise. And how much did it cost and how long did it Ian to get certificates 
to perform this experiment?  Way more time and money that a phisher would 
 references a number of studies. But none of them indicated that EV was bad or 
misleading or was a detriment to security, and a number of the references 
weren’t even related to EV (including irrelevant research links to bolster 
their claims to the uninformed)


I haven’t been counting the number of pro and cons emails, but there are a 
significant number of organizations questioning the changes by Google and 
Mozilla.  Mozilla and Google should reconsider their proposed changes.


Yes, I work for a CA that issues EV certificates, but if there was no value in 
them, then our customers would certainly not be paying extra for them.  
Shouldn’t the large enterprises that see a value in identity (as does 
GlobalSign) drive the need for ending EV certificates?  With Google and Mozilla 
being prominent Lets Encrypt sponsors we know their intent is to drive business 
to them vs. any of the commercially respectable CAs.  It’s actually counter 
productive to security to sponsor a CA that issues so many certificates to 
phishing and malware sites without any consequences.  Is this to increase the 
value of their malware site detection services?  Maybe..







From: Tom Ritter <> 
Sent: Thursday, August 15, 2019 1:13 PM
To: Doug Beattie <>
Cc: Peter Gutmann <>; MozPol 
Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out of 
the URL bar



On Thu, Aug 15, 2019, 7:46 AM Doug Beattie via dev-security-policy 
<> > wrote:


Do you have any empirical data to backup the claims that there is no benefit
from EV certificates?  From the reports I've seen, the percentage of
phishing and malware sites that use EV is drastically lower than DV (which
are used to protect the cesspool of websites).


I don't doubt that at all. However see the first email in this thread citing 
research showing that users don't notice the difference.



Attachment: smime.p7s
Description: S/MIME cryptographic signature

dev-security-policy mailing list

Reply via email to