On 8/15/2019 10:58 AM, Doug Beattie via dev-security-policy wrote:
I also would like to see more evidence of problems. However, I have to
object to the idea that
So far I see is a number of contrived test cases picking apart small components
of EV, and no real data to back it up.
Mostly academic...research, imho...
is of little value. This treads dangerously close to nihilism.
I question that a phisher, who stands potentially to gain hundreds of
thousands or millions of dollars by phishing, e.g., the customers of a
major bank, would not, as this paper says, invest "48 hours from
incorporation to the issuance of the certificate" and "$177". This is a
trivial investment for a non-frivolous financial phisher, let alone,
say, a foreign government interested in phishing, say, a
voter-registration (or -- shudder! -- an e-voting) site.
https://stripe.ian.sh/: EV certificates with colliding entity names can be
generated, but to date, I don’t know of any real attacks, just this academic
exercise. And how much did it cost and how long did it Ian to get certificates
to perform this experiment? Way more time and money that a phisher would
That your customers may perceive additional value in them doesn't mean
that they provide additional value to the general internet user. That
said, I lean toward Mozilla letting this debate settle out before hiding
EV support in release Firefox.
Yes, I work for a CA that issues EV certificates, but if there was no value in
them, then our customers would certainly not be paying extra for them.
dev-security-policy mailing list