On Thu, 15 Aug 2019 22:11:37 +0200 Eric Rescorla via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> I expect this is true, but it seems to me that if anything it is an > argument that EV doesn't provide security value, not the other way > around: DV certificates are much cheaper to obtain than EV, and so > naturally if you just need a certificate you're going to get DV. > OTOH, if users actually trusted EV more, it might be worthwhile for > an attacker to get EV anyway. It is as ever simultaneously reassuring and annoying to see EKR wrote what I was thinking but more succinctly and a few hours before I get time to draft an email. Further: My interpretation is that a LOT of phishing sites in 2019 only have DV certificates because that was the default. The crooks didn't think "I need a certificate" they thought "I need a web site" and in 2019 a typical web site comes with a certificate - same as you don't need to buy separate seatbelts for your car these days. If we are looking to protect users from Phishing, we should promote WebAuthn, not Extended Validation, because we know WebAuthn actually protects users from phishing. Nick. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy