On Thursday, September 5, 2019 at 12:16:13 PM UTC-4, Jonathan Rudenberg wrote: > On Wed, Sep 4, 2019, at 14:53, browserpadlock--- via dev-security-policy > wrote: > > It seems that the Certificate Authorities are doing their jobs quite > > well in regards to EV certs and making sure that it is very difficult > > for non-qualified/verified sites to get them according to a recently > > concluded study by Georgia Tech CyFI Lab > > (https://www.helpnetsecurity.com/2019/08/01/ev-ssl-certificate/), a > > well respected technical institution, NOT funded by the CA industry. > > This paper was paid for by Sectigo, this was clearly noted in their press > release: > https://sectigo.com/blog/new-research-in-ev-ssl-security-from-georgia-tech-ev-domains-99-99-free-of-online-crime > > The methodology is deeply flawed, for example these are some of the > "malicious" domains from their dataset: > > extended-validation-ssl.websecurity.symantec.com > hotmail.co.jp > math.northwestern.edu > downloads.comodo.com > > (there are a bunch more but I don't really care enough to keep going) > > Jonathan
Thanks for the update Jonathan, the article I read didn't mention the funding source, but the article wasn't the point of my post. Bottom line, why strip out of view the only browser mechanism that identifies the owner of a website? Why not force the CA's to improve the EV validation process and create a ubiquitous user experiences around EV across ALL browsers so that visitors can begin to see the commonality of EV's purpose? For the betterment of a safer and more trustworthy Internet, why digress from the concept of web identity verification instead of trying to make it better? _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
