I'm not claiming that EV reduces phishing globally, just for those sites
that use them.  Do you have a chart that breaks down phishing attacks by SSL
certificate type? 

Here is some research that indicates EV sites have a reduced phishing
percentage, so customers accessing EV protected sites are safer:

-----Original Message-----
From: Peter Gutmann <> 
Sent: Thursday, August 15, 2019 10:03 PM
To: Doug Beattie <>;
Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out
of the URL bar

Doug Beattie <> writes:

>Do you have any empirical data to backup the claims that there is no 
>benefit from EV certificates?

Uhhh... I don't even know where to start.  We have over ten years of data
and research publications on this, and the lack of benefit was explicitly
cited by Google and Mozilla as the reason for removing the EV bling... one
example is the most obvious statistic, maintained by the Anti-Phishing
Working Group (APWG), which show an essentially flat trend for phishing over
the period of a year in which EV certificates were phased in, indicating
that they had no effect whatsoever on phishing.  There's endless other stats
showing that the trend towards security is negative, i.e. it's getting worse
every year, here's some five-year stats from a quick google:

If EV certs had any effect at all on security we'd have seen a decrease in
phishing/increase in security.

There is one significant benefit from EV certificates, which I've already
pointed out, which is to the CAs selling them.  So when I say "there's no
benefit" I mean "there's no benefit to end users", which is who the
certificates are putatively helping.


Attachment: smime.p7s
Description: S/MIME cryptographic signature

dev-security-policy mailing list

Reply via email to