Doug Beattie <doug.beat...@globalsign.com> writes: >Do you have any empirical data to backup the claims that there is no benefit >from EV certificates?
Uhhh... I don't even know where to start. We have over ten years of data and research publications on this, and the lack of benefit was explicitly cited by Google and Mozilla as the reason for removing the EV bling... one example is the most obvious statistic, maintained by the Anti-Phishing Working Group (APWG), which show an essentially flat trend for phishing over the period of a year in which EV certificates were phased in, indicating that they had no effect whatsoever on phishing. There's endless other stats showing that the trend towards security is negative, i.e. it's getting worse every year, here's some five-year stats from a quick google: https://www.thesslstore.com/blog/wp-content/uploads/2019/05/Phishing-by-Year.png If EV certs had any effect at all on security we'd have seen a decrease in phishing/increase in security. There is one significant benefit from EV certificates, which I've already pointed out, which is to the CAs selling them. So when I say "there's no benefit" I mean "there's no benefit to end users", which is who the certificates are putatively helping. Peter. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
