I don't know about other CAs, but at SSL.com we issue a very limited number of EV SSL certificates in comparison to other certificates so it's not a big revenue driver.
However, as a user I support EV SSL. I personally have never come across a scam site that displayed an EV SSL (I'm not saying they don't exist). Has anyone else come across a "scam site" displaying EV that's not part of an academic exercise? An EV SSL only connects the site domain to its registered owner, nothing more. After that, I can decide whether to trust that company or if more research is warranted. At the end of the day, the user must make a decision based on the information they are given. This includes reviewing the EV SSL, domain name, site contents and third party reviews and listings. With the removal of EV from the browser UI, that's one less signal users can rely on. For instance, my inbox receives increasingly sophisticated spam and phishing mailers that require me to do double and triple takes. This results in legitimate emails potentially being flagged as spam. One of the signals I use to verify linked sites within the emails is if they display EV certificates. I do not entirely rely on EV, but it helps to build a subconscious trust profile of that site along with the domain, content, site reviews and search listings. As a result, I've determined on a number of occasions that the emails were indeed authentic in part because of the EV. In this business, paranoia is survival. Recently a neighbor asked me to verify a shoe site that he just purchased loafers from. Several red flags (ie Chanel header banner, unfamiliar domain name, etc) and no EV SSL prompted me to recommend he dispute the charge. Weeks later he confirmed it was indeed a scam site. Had the site displayed an EV SSL, I would have investigated more knowing the extra effort required to pass EV validation. But since no EV SSL appeared on the site, I didn't feel the need to waste any more time on the site. I can't be the only person whose aunt, neighbor or spouse asks me to help verify a site. This tells me that they do not understand how to properly read the EV information, not that EV SSL is bad or ineffective. I'm confounded why anyone would want less independently verified information on a site as opposed to more for fear EV doesn't perfectly suit their expectations. Well-known sites like google.com and amazon.com might not need EV as much as less well-known sites, but there are only a small number of these well-known sites. In comparison, the vast majority of sites are lesser-known and could benefit from as many validation signals as possible. I would think a local hospital or credit union who are increasingly targeted by phishing scams might argue an EV certificate would be one of the tools to help combat these types of scams. No single solution is perfect to eliminate online scams including EV SSL, but by removing the EV UI, the proverbial baby bath water comes to mind. I think the original intent of EV was and still remains noble. We should try to improve upon it, not discard it or relegate it to a virtually useless state. Scammers are a wily bunch, and they will always find some success in gaming or circumventing any system where human trust is involved. Let's try to make if harder for them, not throw our hands in the air and give up. At a minimum, consider keeping a color coded lock that would not take up any additional browser real estate and would give users "in the know" the EV signal. Otherwise, if the browsers have finalized their collective decisions on the matter, I do hope something better comes along that will benefit everyone. Treating all SSL/TLS certs as DV I think is a step backwards to 2007 when there was no EV, but we all knew something more than DV or OV was needed. Leo _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
