On Tue, 7 Nov 2006, Gervase Markham wrote: > Additionally, one reason why phishers haven't been using SSL is because > browser makers and others aren't screaming "look for the lock"; and the > reason they aren't doing that is because they know phishers will then > start getting domain-validated certs and we'll be no further forward.
How sure can we be that this is the reason phishers don't use SSL? Lots of websites encourage their users to look for the lock, and the fact that they put all these stupid lock icons on their pages (sometimes even with popups instructing users not to worry about the lack of a padlock in the URL bar *headdesk*) shows that it clearly means something to the people who run these websites. > If we are going to try and educate the public to look for a trust > indicator, we need a trust indicator which is worthy of the name. Careful! EV is NOT a "trust indicator", as you have been pointing out, and as the EV guidelines emphasize. This is more like a "legally suable entity indicator" (if i understand right -- i encourage you to find a name for it that is both accurate and less awkward than mine!) -- ?!ng _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
