Am Sonntag, 18. August 2019 20:05:42 UTC+2 schrieb Ronald Crane:
> On 8/18/2019 12:39 AM, Leo Grove via dev-security-policy wrote:
> > Deploying a Stripe Inc EV SSL from a state other than CA is one thing, but 
> > using an EV SSL in conjunction with a domain name and website with the true 
> > intent to dupe potential customers is another matter. I'm trying to get 
> > past the theoretical and get to real world instances.
> I don't understand the idea that the Stripe proof-of-concept is 
> "theoretical". We know that phishing is epidemic, and we also know that 
> phishers presently need -- at most -- a DV cert. The POC shows that -- 
> should something cause phishers to need an EV cert -- they can also get 
> one of those quickly and inexpensively. But why would a phisher bother 
> with an EV cert if a DV cert works just as well?

The important question is can they get this without making them easily 
Sure I can register a company and get an EV certificate for that company. But 
can I do this completely anonymous like getting a DV cert?

How long do you think would it have taken for the police to come and get Ian 
Carroll if he'd actually committed fraud?

Nobody is arguing that EV certificates are perfect and everything is good if 
you use them. But they do raise the bar for criminals. And in my opinion, 

What I propose is for mozilla to not say "Fuck it, it's not working, just 
remove it!" but instead try to focus on finding a better UX solution to the 
problem that end users are not aware if a site that should have an EV 
certificate is not presenting one.

- Josef
dev-security-policy mailing list

Reply via email to