I think that the Phishing eventscount should focus on number of phishing events 
per organization.
If the phishing event count was decreased after an organization start to use EV 
certificate, the EV certificate should have some effect to reduce the phishing 

Robin Lin

> -----Original Message-----
> From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On
> Behalf Of Peter Gutmann via dev-security-policy
> Sent: Friday, August 16, 2019 10:03 AM
> To: Doug Beattie <doug.beat...@globalsign.com>;
> mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out of 
> the
> URL bar
> Doug Beattie <doug.beat...@globalsign.com> writes:
> >Do you have any empirical data to backup the claims that there is no
> >benefit from EV certificates?
> Uhhh... I don't even know where to start.  We have over ten years of data and
> research publications on this, and the lack of benefit was explicitly cited 
> by Google
> and Mozilla as the reason for removing the EV bling... one example is the most
> obvious statistic, maintained by the Anti-Phishing Working Group (APWG), which
> show an essentially flat trend for phishing over the period of a year in 
> which EV
> certificates were phased in, indicating that they had no effect whatsoever on
> phishing.  There's endless other stats showing that the trend towards 
> security is
> negative, i.e. it's getting worse every year, here's some five-year stats 
> from a quick
> google:
> https://www.thesslstore.com/blog/wp-content/uploads/2019/05/Phishing-by-Year.
> png
> If EV certs had any effect at all on security we'd have seen a decrease in
> phishing/increase in security.
> There is one significant benefit from EV certificates, which I've already 
> pointed out,
> which is to the CAs selling them.  So when I say "there's no benefit" I mean
> "there's no benefit to end users", which is who the certificates are 
> putatively
> helping.
> Peter.
> _______________________________________________
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
dev-security-policy mailing list

Reply via email to