On Fri, Aug 16, 2019, at 07:56, Doug Beattie via dev-security-policy wrote: > Peter, > > I'm not claiming that EV reduces phishing globally, just for those sites > that use them. Do you have a chart that breaks down phishing attacks by SSL > certificate type? > > Here is some research that indicates EV sites have a reduced phishing > percentage, so customers accessing EV protected sites are safer: > https://cabforum.org/wp-content/uploads/23.-Update-on-London-Protocol.pdf
Doug, Can you point me to the specific research you're referring to? All I see in this presentation that's remotely relevant is a breakdown of the certificate types used on detected phishing sites across a couple months. If this data is correct, it doesn't seem to be useful information, and actually proves one of the points that is behind the removal of EV UI. If EV is required for a successful phishing attack, then attackers will just get EV certificates. But all of the research that has been repeatedly brought up in this thread shows that users don't use the EV UI when making decisions about whether to trust a website, explaining why phishing sites don't use EV very much. Additionally, the idea that sites that use EV experience less phishing seems deeply flawed. Banks are a huge target for phishing, and most of their websites have EV certificates. An interesting and clear recent example of this is PayPal, which is obviously a very popular target for phishing. paypal.com technically has an EV certificate, but due to the certificate chain used since early 2018, the EV UI does not show up in the most popular browser (Chrome) on the most popular desktop operating system (Windows)[1]. Given the amount of phishing that PayPal experiences, it seems likely to me that they would have figured out how to fix this if they thought it was worth the effort. They haven't. Jonathan [1] https://www.troyhunt.com/paypals-beautiful-demonstration-of-extended-validation-fud/ _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
