So far I see is a number of contrived test cases picking apart small components of EV, and no real data to back it up. Mostly academic or irrelevant research, imho. Here are a couple of links posted in this thread:
https://www.typewritten.net/writer/ev-phishing/: This post is intended for a technical audience interested in how an EV SSL certificate can be used as an effective phishing device <but no evidence this is a real world security concern> https://stripe.ian.sh/: EV certificates with colliding entity names can be generated, but to date, I don’t know of any real attacks, just this academic exercise. And how much did it cost and how long did it Ian to get certificates to perform this experiment? Way more time and money that a phisher would invest. https://chromium.googlesource.com/chromium/src/+/HEAD/docs/security/ev-to-page-info.md references a number of studies. But none of them indicated that EV was bad or misleading or was a detriment to security, and a number of the references weren’t even related to EV (including irrelevant research links to bolster their claims to the uninformed) I haven’t been counting the number of pro and cons emails, but there are a significant number of organizations questioning the changes by Google and Mozilla. Mozilla and Google should reconsider their proposed changes. Yes, I work for a CA that issues EV certificates, but if there was no value in them, then our customers would certainly not be paying extra for them. Shouldn’t the large enterprises that see a value in identity (as does GlobalSign) drive the need for ending EV certificates? With Google and Mozilla being prominent Lets Encrypt sponsors we know their intent is to drive business to them vs. any of the commercially respectable CAs. It’s actually counter productive to security to sponsor a CA that issues so many certificates to phishing and malware sites without any consequences. Is this to increase the value of their malware site detection services? Maybe.. * https://www.usenix.org/system/files/soups2019-drury.pdf * https://cabforum.org/wp-content/uploads/23.-Update-on-London-Protocol.pdf Baffled… From: Tom Ritter <t...@ritter.vg> Sent: Thursday, August 15, 2019 1:13 PM To: Doug Beattie <doug.beat...@globalsign.com> Cc: Peter Gutmann <pgut...@cs.auckland.ac.nz>; MozPol <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar On Thu, Aug 15, 2019, 7:46 AM Doug Beattie via dev-security-policy <dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> > wrote: Peter, Do you have any empirical data to backup the claims that there is no benefit from EV certificates? From the reports I've seen, the percentage of phishing and malware sites that use EV is drastically lower than DV (which are used to protect the cesspool of websites). I don't doubt that at all. However see the first email in this thread citing research showing that users don't notice the difference.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy