Doug Beattie <> writes:

>Do you have any empirical data to backup the claims that there is no benefit
>from EV certificates?

Uhhh... I don't even know where to start.  We have over ten years of data and
research publications on this, and the lack of benefit was explicitly cited by
Google and Mozilla as the reason for removing the EV bling... one example is
the most obvious statistic, maintained by the Anti-Phishing Working Group
(APWG), which show an essentially flat trend for phishing over the period of a
year in which EV certificates were phased in, indicating that they had no
effect whatsoever on phishing.  There's endless other stats showing that the
trend towards security is negative, i.e. it's getting worse every year, here's
some five-year stats from a quick google:

If EV certs had any effect at all on security we'd have seen a decrease in
phishing/increase in security.

There is one significant benefit from EV certificates, which I've already
pointed out, which is to the CAs selling them.  So when I say "there's no
benefit" I mean "there's no benefit to end users", which is who the
certificates are putatively helping.

dev-security-policy mailing list

Reply via email to