Good afternoon all,

I would like to chime in with my two cents, if allowed:

1. Users do not notice the absence of a positive indicator. There is ample 
evidence, academic and otherwise. If users did notice the absence of a positive 
indicator, it follows that phishing without an EV certificate would be 
non-existent, as users would be noticing the lack of EV. Seeing the success of 
phishing indicates that users do not check for the absence of the indicator.

2. Further, if users did notice the lack of positive indicators, you can bet 
that phisher's would do everything in their power to display the positive 
indicator. They don't, because... it doesn't matter. Even if we assumed that 
displaying the positive indicator did matter:

3. Obtaining an EV certificate is as easy as spending ~$100 to incorporate and 
waiting a day or two, or visiting an underground marketplace. It's not exactly 
breaking into Fort Knox.

Following these points to the logical conclusion, I cannot see why anyone 
(other than those with a financial interest in the sale of EV certificates) 
would be arguing against this UI change.


Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Friday, 16 August 2019 13:37, Doug Beattie via dev-security-policy 
<> wrote:

> From: Ben
> Sent: Friday, August 16, 2019 9:33 AM
> To: Doug Beattie
> Cc: Jonathan Rudenberg; Peter Gutmann
> Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out of
> the URL bar
> On Fri, 16 Aug 2019 at 14:31, Doug Beattie via dev-security-policy
> <
> > wrote:
> DB: Yes, that's true. I was saying that phishing sites don't use EV, not
> that EV sites don't get phished
> Surely this shows that EV is not needed to make phishing work, not that EV
> reduces phishing?
> [DB] It should show that users are safer when visiting an EV secured site.
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> I am hiring! Formal methods, UX, SWE ... verified s/w and h/w.
> #VerifyAllTheThings.
> (Google internal)
> dev-security-policy mailing list

dev-security-policy mailing list

Reply via email to