On Thu, Aug 15, 2019 at 2:46 PM Doug Beattie via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Peter, > > Do you have any empirical data to backup the claims that there is no > benefit > from EV certificates? From the reports I've seen, the percentage of > phishing and malware sites that use EV is drastically lower than DV (which > are used to protect the cesspool of websites). > I expect this is true, but it seems to me that if anything it is an argument that EV doesn't provide security value, not the other way around: DV certificates are much cheaper to obtain than EV, and so naturally if you just need a certificate you're going to get DV. OTOH, if users actually trusted EV more, it might be worthwhile for an attacker to get EV anyway. -Ekr Doug > > > > -----Original Message----- > From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> > On > Behalf Of Peter Gutmann via dev-security-policy > Sent: Wednesday, August 14, 2019 9:04 PM > To: mozilla-dev-security-pol...@lists.mozilla.org; Jakob Bohm > <jb-mozi...@wisemo.com> > Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out > of the URL bar > > Jakob Bohm via dev-security-policy <dev-security-policy@lists.mozilla.org> > writes: > > >Problem example: > >[...] > > You're explaining how it's supposed to work in theory, not in the real > world. > > We have a decade of real-world data showing that it doesn't work, that > there's no benefit from EV certificates apart from the one to CA's balance > sheets. So the browser vendors are doing the logical thing, responding to > the real-world data and no longer pretending that EV certs add any security > value, both in terms of protecting users and of keeping out the bad guys - > see the attached screen clip, in this case for EV code-signing certs for > malware, but you can buy web site EV certs just as readily. > > Peter. > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy