From: Jonathan Rudenberg <jonat...@titanous.com> Sent: Friday, August 16, 2019 9:04 AM To: Doug Beattie <doug.beat...@globalsign.com>; Peter Gutmann <pgut...@cs.auckland.ac.nz>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar On Fri, Aug 16, 2019, at 07:56, Doug Beattie via dev-security-policy wrote: Peter, I'm not claiming that EV reduces phishing globally, just for those sites that use them. Do you have a chart that breaks down phishing attacks by SSL certificate type? Here is some research that indicates EV sites have a reduced phishing percentage, so customers accessing EV protected sites are safer: https://cabforum.org/wp-content/uploads/23.-Update-on-London-Protocol.pdf Doug, Can you point me to the specific research you're referring to? All I see in this presentation that's remotely relevant is a breakdown of the certificate types used on detected phishing sites across a couple months. If this data is correct, it doesn't seem to be useful information, and actually proves one of the points that is behind the removal of EV UI. DB: The presentation identifies that people don't set up phishing sites using EV certificates, and yes, this data only over the last 11 months or so. If EV is required for a successful phishing attack, then attackers will just get EV certificates. But all of the research that has been repeatedly brought up in this thread shows that users don't use the EV UI when making decisions about whether to trust a website, explaining why phishing sites don't use EV very much. DB: One of the reasons that phishers don't get EV certificates is because the vetting process requires several interactions and corporate repositories which end up revealing more about their identity. This leaves a trail back to the individual that set up the fake site which discourages the use of EV. DV is completely anonymous and leaves very few traces. Additionally, the idea that sites that use EV experience less phishing seems deeply flawed. Banks are a huge target for phishing, and most of their websites have EV certificates. DB: Yes, that's true. I was saying that phishing sites don't use EV, not that EV sites don't get phished. An interesting and clear recent example of this is PayPal, which is obviously a very popular target for phishing. paypal.com technically has an EV certificate, but due to the certificate chain used since early 2018, the EV UI does not show up in the most popular browser (Chrome) on the most popular desktop operating system (Windows)[1]. Given the amount of phishing that PayPal experiences, it seems likely to me that they would have figured out how to fix this if they thought it was worth the effort. They haven't. DB: Maybe they should get an EV certificate and help train the users to look for that on their login page to reduce the chances that their customers are phished? Jonathan [1] https://www.troyhunt.com/paypals-beautiful-demonstration-of-extended-validat ion-fud/
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
