On Thursday, August 15, 2019 at 10:59:32 AM UTC-7, Doug Beattie wrote: > So far I see is a number of contrived test cases picking apart small > components of EV, and no real data to back it up. Mostly academic or > irrelevant research, imho. Here are a couple of links posted in this thread: > > > > https://www.typewritten.net/writer/ev-phishing/: This post is intended for a > technical audience interested in how an EV SSL certificate can be used as an > effective phishing device <but no evidence this is a real world security > concern> > > > > https://stripe.ian.sh/: EV certificates with colliding entity names can be > generated, but to date, I don’t know of any real attacks, just this academic > exercise. And how much did it cost and how long did it Ian to get > certificates to perform this experiment? Way more time and money that a > phisher would invest.
To be clear, I obtained this certificate during lunch while I was in high school, but I'm sure you read the post explaining the cost/time already. I hope we can agree our bar for security is higher than "a kid who got bored". > > > > https://chromium.googlesource.com/chromium/src/+/HEAD/docs/security/ev-to-page-info.md > references a number of studies. But none of them indicated that EV was bad > or misleading or was a detriment to security, and a number of the references > weren’t even related to EV (including irrelevant research links to bolster > their claims to the uninformed) > > > > I haven’t been counting the number of pro and cons emails, but there are a > significant number of organizations questioning the changes by Google and > Mozilla. Mozilla and Google should reconsider their proposed changes. > > > > Yes, I work for a CA that issues EV certificates, but if there was no value > in them, then our customers would certainly not be paying extra for them. > Shouldn’t the large enterprises that see a value in identity (as does > GlobalSign) drive the need for ending EV certificates? With Google and > Mozilla being prominent Lets Encrypt sponsors we know their intent is to > drive business to them vs. any of the commercially respectable CAs. It’s > actually counter productive to security to sponsor a CA that issues so many > certificates to phishing and malware sites without any consequences. Is this > to increase the value of their malware site detection services? Maybe.. It is not worth it to respond to this bizarre theory. Sponsors of Let's Encrypt obviously have nothing to gain from more people using it; it's not like they pay dividends! You can slander them all you want, but it's not going to make anyone respect your opinion in the future. > > * https://www.usenix.org/system/files/soups2019-drury.pdf > * > https://cabforum.org/wp-content/uploads/23.-Update-on-London-Protocol.pdf > > > > Baffled… > > > > > > > > From: Tom Ritter <t...@ritter.vg> > Sent: Thursday, August 15, 2019 1:13 PM > To: Doug Beattie <doug.beat...@globalsign.com> > Cc: Peter Gutmann <pgut...@cs.auckland.ac.nz>; MozPol > <mozilla-dev-security-pol...@lists.mozilla.org> > Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out of > the URL bar > > > > > > On Thu, Aug 15, 2019, 7:46 AM Doug Beattie via dev-security-policy > <firstname.lastname@example.org > <mailto:email@example.com> > wrote: > > Peter, > > Do you have any empirical data to backup the claims that there is no benefit > from EV certificates? From the reports I've seen, the percentage of > phishing and malware sites that use EV is drastically lower than DV (which > are used to protect the cesspool of websites). > > > > I don't doubt that at all. However see the first email in this thread citing > research showing that users don't notice the difference. _______________________________________________ dev-security-policy mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-security-policy