Eric Mill <e...@konklone.com> writes: >CAs should be careful about casually and dramatically overestimating the >roadblocks that EV certificates present to attackers.
See also the screenshot I posted earlier. That was from a black-market web site selling EV certificates to anyone with the stolen credit cards to pay for them. These are legit EV certs issued to legit companies, available off the shelf for criminals to use. For a little extra payment you can get ones with high SmartShield scores so your malware is instantly trusted by the victim's PC. >The burden is not on the web browsers to prove that EV is detrimental to >security - the burden is on third parties to prove that EV is beneficial. Yup, as per my previous post. We've got a vast amounts of data on this, if there was a benefit to users then it shouldn't be hard to show that from the data. Peter. _______________________________________________ dev-security-policy mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-security-policy