On Fri, 16 Aug 2019 13:31:08 +0000 Doug Beattie via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> DB: One of the reasons that phishers don't get EV certificates is > because the vetting process requires several interactions and > corporate repositories which end up revealing more about their > identity. This leaves a trail back to the individual that set up the > fake site which discourages the use of EV. DV is completely anonymous > and leaves very few traces. It's really tangential to Mozilla's purpose but it's worth dispelling this myth. Nothing about your identity is revealed. Let's take the country I live in as an example, it looks superficially as though you need to reveal a lot of personal details to register a company in the United Kingdom. Surely this is all backed up with the considerable power of the government of a major world power, and so if I can track down which company is behind a phishing site then the individuals responsible won't be hard to find right? Er, no. If you just lie on the paperwork nothing will happen. If private citizens point out specifically that the paperwork for your company is a tissue of lies, Companies House will reply to explain that alas the government doesn't have sufficient resources to investigate or do anything about it and so it's just too bad their records are largely fictitious nonsense. Still they promise they _care_ about this, it's a top priority, just not one that anything will be done about... There has been exactly one prosecution for lying to Companies House in the modern era. They had the money and pursued it through the courts very enthusiastically on exactly that one occasion and no other. Guess why? Because someone wrote up paperwork for a bogus company naming famous politicians who'd done nothing to fix this for years. That was bad publicity, and so the government threw resources at "fixing" the problem, ie prosecuting the person who pointed out the corruption. Read "Where there's Muck there's Brass Plates" for further examples of how much worse than few fraudsters phishing for bank credentials the rot in British companies already is: https://www.private-eye.co.uk/special-reports/where-theres-muck Nick. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy