Here is another comment from a major anti-phishing service – PhishLabs - about the value of EV certificates in detecting malicious websites. Its CTO, John LaCour, is willing to go on the record, and he concludes with this statement: “So should web browsers provide a visual indicator to users that their site uses an EV certificate? I think it is useful information for a class of users. It seems like there should be a way to indicate EV without it confusing or misleading other classes of users.“
I agree – and think the Apple binary UI is the way to go – and I hope Mozilla will consider it instead of eliminating the EV UI and hiding the data from Firefox users. Over time, that could drive EV identity data from the security ecosystem. Here are John’s comments in full: Kirk, Thanks for your question about how PhishLabs uses certificates to help evaluate web site legitimacy. First, let me be clear that, whether or not a web site is legitimate, secure, compromised, etc. has nothing to do with whether it has a digital certificate for TLS or not. Or even what kind of certificate it is. We’ve seen compromised sites with EV certificates – though exceedingly rarely (< 10 / year), as well as popular legitimate sites without a certificate. Every day we scan millions of web sites and URIs that may be malicious. Our technology can often, with very high confidence, classify a site or specific URI as malicious or not automatically. Sometimes, though, we aren’t sure. In those cases we often fallback to a set of heuristics to help us make a determination. One of the very strong signals we use as to whether is a site is legitimate and secure is if it has an EV Certificate. I believe this is a result of correlation – a strong one that can be used with confidence – that the site owners are known and that they are more likely to practice better security hygiene. On the email thread you mentioned, there was some discussion about Google Safe Browsing and if and how that should be used. We’ve found in our tests that GSB only correctly identifies roughly 50% of the known malicious sites we query against it. And we proactively share all of these bad URIs with Google. So should web browsers provide a visual indicator to users that their site uses an EV certificate? I think it is useful information for a class of users. It seems like there should be a way to indicate EV without it confusing or misleading other classes of users. Thanks for the opportunity to chime in. John -- John LaCour CTO, PhishLabs _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
