Am Sonntag, 18. August 2019 20:05:42 UTC+2 schrieb Ronald Crane: > On 8/18/2019 12:39 AM, Leo Grove via dev-security-policy wrote: > > Deploying a Stripe Inc EV SSL from a state other than CA is one thing, but > > using an EV SSL in conjunction with a domain name and website with the true > > intent to dupe potential customers is another matter. I'm trying to get > > past the theoretical and get to real world instances. > > I don't understand the idea that the Stripe proof-of-concept is > "theoretical". We know that phishing is epidemic, and we also know that > phishers presently need -- at most -- a DV cert. The POC shows that -- > should something cause phishers to need an EV cert -- they can also get > one of those quickly and inexpensively. But why would a phisher bother > with an EV cert if a DV cert works just as well?
The important question is can they get this without making them easily traceable? Sure I can register a company and get an EV certificate for that company. But can I do this completely anonymous like getting a DV cert? How long do you think would it have taken for the police to come and get Ian Carroll if he'd actually committed fraud? Nobody is arguing that EV certificates are perfect and everything is good if you use them. But they do raise the bar for criminals. And in my opinion, significantly. What I propose is for mozilla to not say "Fuck it, it's not working, just remove it!" but instead try to focus on finding a better UX solution to the problem that end users are not aware if a site that should have an EV certificate is not presenting one. - Josef _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy