On Thu, Aug 29, 2019, at 13:39, Kirk Hall via dev-security-policy wrote:
> This string is about Mozilla’s announced plan to remove the EV UI from 
> Firefox in October.  Over time, this will tend to eliminate confirmed 
> identity information about websites from the security ecosystem, as EV 
> website owners may decide it’s not worth using a n EV certificate if 
> browsers decide to hide the data from users.  As noted in my last 
> message, this will be a tragedy for users, as browser phishing filters 
> and other anti-phishing services currently rely on website EV data in 
> their algorithms for protecting users.

Can you provide more detail (preferably with citations) about how browser 
phishing filters, and specifically Google Safe Browsing (used by Firefox), rely 
on EV data?

It's not clear to me how this could possibly be useful in detecting phishing 
given the data that you've previously published[1] showing that an extremely 
small number sites with EV certificates were detected as phishing.

Jonathan

[1] 
https://casecurity.org/wp-content/uploads/2018/06/Summary-Report-Incidence-of-Phishing-04-16-2018.pdf
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to