On 8/18/2019 12:39 AM, Leo Grove via dev-security-policy wrote:
Deploying a Stripe Inc EV SSL from a state other than CA is one thing, but using an EV SSL in conjunction with a domain name and website with the true intent to dupe potential customers is another matter. I'm trying to get past the theoretical and get to real world instances.
I don't understand the idea that the Stripe proof-of-concept is "theoretical". We know that phishing is epidemic, and we also know that phishers presently need -- at most -- a DV cert. The POC shows that -- should something cause phishers to need an EV cert -- they can also get one of those quickly and inexpensively. But why would a phisher bother with an EV cert if a DV cert works just as well?
-R _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
