On Fri, Aug 16, 2019, at 07:56, Doug Beattie via dev-security-policy wrote:
> Peter,
> I'm not claiming that EV reduces phishing globally, just for those sites
> that use them. Do you have a chart that breaks down phishing attacks by SSL
> certificate type? 
> Here is some research that indicates EV sites have a reduced phishing
> percentage, so customers accessing EV protected sites are safer:
> https://cabforum.org/wp-content/uploads/23.-Update-on-London-Protocol.pdf


Can you point me to the specific research you're referring to? All I see in 
this presentation that's remotely relevant is a breakdown of the certificate 
types used on detected phishing sites across a couple months. If this data is 
correct, it doesn't seem to be useful information, and actually proves one of 
the points that is behind the removal of EV UI.

If EV is required for a successful phishing attack, then attackers will just 
get EV certificates. But all of the research that has been repeatedly brought 
up in this thread shows that users don't use the EV UI when making decisions 
about whether to trust a website, explaining why phishing sites don't use EV 
very much.

Additionally, the idea that sites that use EV experience less phishing seems 
deeply flawed. Banks are a huge target for phishing, and most of their websites 
have EV certificates.

An interesting and clear recent example of this is PayPal, which is obviously a 
very popular target for phishing. paypal.com technically has an EV certificate, 
but due to the certificate chain used since early 2018, the EV UI does not show 
up in the most popular browser (Chrome) on the most popular desktop operating 
system (Windows)[1]. Given the amount of phishing that PayPal experiences, it 
seems likely to me that they would have figured out how to fix this if they 
thought it was worth the effort. They haven't.


dev-security-policy mailing list

Reply via email to