Jakob, Before I touch on your comments, I wanted to point out that I am fairly well known in the CA industry even back then and that fact might have tainted the results sightly because I am treated some what differently to other orders as the validation staff look more carefully at the information presented in the order. If the order came from an anonymous body then the chance of the success of the order is very high because the validation staff would process it as normal without higher level intervention which mostly happens with my orders.
The reasons why I chose Symantec: a) They were the largest and most popular CA at that present time and most of the largest companies in the world used that CA. b) Symantec also provided a 30 day risk-free trial of their EV SSL and my thinking was at the time that criminals would take advantage of that fact. I did try Comodo first time and it did fail, the second time I tried Comodo it worked. I publish it here: https://www.typewritten.net/writer/ev-phishing-final/ Thank you Burton On Mon, Aug 26, 2019 at 8:00 PM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 24/08/2019 05:55, Tom Ritter wrote: > > On Fri, 23 Aug 2019 at 22:53, Daniel Marschall via dev-security-policy > > <dev-security-policy@lists.mozilla.org> wrote: > >> > >> Am Freitag, 23. August 2019 00:50:35 UTC+2 schrieb Ronald Crane: > >>> On 8/22/2019 1:43 PM, kirkhalloregon--- via dev-security-policy wrote: > >>> > >>> Whatever the merits of EV (and perhaps there are some -- I'm not > >>> convinced either way) this data is negligible evidence of them. A DV > >>> cert is sufficient for phishing, so there's no reason for a phisher to > >>> obtain an EV cert, hence very few phishing sites use them, hence EV > >>> sites are (at present) mostly not phishing sites. > >> > >> Can you proove that your assumption "very few phishing sites use EV > (only) because DV is sufficient" is correct? > > > > As before, the first email in the thread references the studies > performed. > > The (obviously outdated) studies quoted below were NOT referenced by the > first message in this thread. The first message only referenced two > highly unpersuasive demonstrations of the mischief possible in > controlled experiments. > > <https://www.typewritten.net/writer/ev-phishing/> and > <https://stripe.ian.sh/> both took advantage of weaknesses in two > government registries to create actual dummy companies with misleading > names, then trying to get EV certs for those (with mixed success, as at > least some CAs rejected or revoked the certs despite the government > failures). At least the first of those demonstrations involved a no > longer trusted CA (Symantec). Both demonstrations caused the > researchers real name and identity to become part of the CA record, > which was hand waved away by claiming that could have been avoided by > criminal means. > > > Studies quoted by Tom Ritter on 24/08/2019: > > > > > "By dividing these users into three groups, our controlled study > > measured both the effect of extended validation certificates that > > appear only at legitimate sites and the effect of reading a help file > > about security features in Internet Explorer 7. Across all groups, we > > found that picture-in-picture attacks showing a fake browser window > > were as effective as the best other phishing technique, the homograph > > attack. Extended validation did not help users identify either > > attack." > > > > https://www.adambarth.com/papers/2007/jackson-simon-tan-barth.pdf > > > > 12 years old study involving en equally outdated browser. > > > "Our results showed that the identity indicators used in the > > unmodified FF3browser did not influence decision-making for the > > participants in our study interms of user trust in a web site. These > > new identity indicators were ineffectivebecause none of the > > participants even noticed their existence." > > > > > http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.543.2117&rep=rep1&type=pdf > > > > An undated(!) study involving highly outdated browsers. No indication > this was ever in a peer reviewed journal. > > > DV is sufficient. Why pay for something you don't need? > > > > Unproven claim, especially by studies from before free DV without > traceable credit card payments became the norm. > > > Enjoy > > Jakob > -- > Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com > Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 > This public discussion message is non-binding and may contain errors. > WiseMo - Remote Service Management for PCs, Phones and Embedded > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
