From: Jonathan Rudenberg <> 
Sent: Friday, August 16, 2019 9:04 AM
To: Doug Beattie <>; Peter Gutmann
Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out
of the URL bar


On Fri, Aug 16, 2019, at 07:56, Doug Beattie via dev-security-policy wrote:



I'm not claiming that EV reduces phishing globally, just for those sites

that use them.  Do you have a chart that breaks down phishing attacks by SSL

certificate type? 


Here is some research that indicates EV sites have a reduced phishing

percentage, so customers accessing EV protected sites are safer:




Can you point me to the specific research you're referring to? All I see in
this presentation that's remotely relevant is a breakdown of the certificate
types used on detected phishing sites across a couple months. If this data
is correct, it doesn't seem to be useful information, and actually proves
one of the points that is behind the removal of EV UI.


DB: The presentation identifies that people don't set up phishing sites
using EV certificates, and yes, this data only over the last 11 months or


If EV is required for a successful phishing attack, then attackers will just
get EV certificates. But all of the research that has been repeatedly
brought up in this thread shows that users don't use the EV UI when making
decisions about whether to trust a website, explaining why phishing sites
don't use EV very much.


DB: One of the reasons that phishers don't get EV certificates is because
the vetting process requires several interactions and corporate repositories
which end up revealing more about their identity.  This leaves a trail back
to the individual that set up the fake site which discourages the use of EV.
DV is completely anonymous and leaves very few traces.


Additionally, the idea that sites that use EV experience less phishing seems
deeply flawed. Banks are a huge target for phishing, and most of their
websites have EV certificates.


DB: Yes, that's true.  I was saying that phishing sites don't use EV, not
that EV sites don't get phished.


An interesting and clear recent example of this is PayPal, which is
obviously a very popular target for phishing. technically has an
EV certificate, but due to the certificate chain used since early 2018, the
EV UI does not show up in the most popular browser (Chrome) on the most
popular desktop operating system (Windows)[1]. Given the amount of phishing
that PayPal experiences, it seems likely to me that they would have figured
out how to fix this if they thought it was worth the effort. They haven't.


DB: Maybe they should get an EV certificate and help train the users to look
for that on their login page to reduce the chances that their customers are





Attachment: smime.p7s
Description: S/MIME cryptographic signature

dev-security-policy mailing list

Reply via email to