On Thu, Aug 29, 2019 at 2:49 PM Kirk Hall via dev-security-policy < [email protected]> wrote:
> Sure, I’m happy to explain, using Bank of America as an example. Kirk, Thanks for providing this example. Could you help me understand how it helps determine that things are safe? For example, the reputation system you described, which is more akin to code signing than what is generally practiced an anti-phishing, seems like if it was implemented, it would leave users at significant risk from compromise on EV sites. That is, if an EV-using site was compromised and displayed a phishing form, the fact that it had "good" reputation would actually be actively harmful to users security, because it would make it harder to provide timely responsiveness. That is, it would be a false negative. In this case, the use of EV certificates, and the presumption of reputation, would lead to actively worse security. Did I misunderstand the scenario? _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
