Good afternoon all, I would like to chime in with my two cents, if allowed:
1. Users do not notice the absence of a positive indicator. There is ample evidence, academic and otherwise. If users did notice the absence of a positive indicator, it follows that phishing without an EV certificate would be non-existent, as users would be noticing the lack of EV. Seeing the success of phishing indicates that users do not check for the absence of the indicator. 2. Further, if users did notice the lack of positive indicators, you can bet that phisher's would do everything in their power to display the positive indicator. They don't, because... it doesn't matter. Even if we assumed that displaying the positive indicator did matter: 3. Obtaining an EV certificate is as easy as spending ~$100 to incorporate and waiting a day or two, or visiting an underground marketplace. It's not exactly breaking into Fort Knox. Following these points to the logical conclusion, I cannot see why anyone (other than those with a financial interest in the sale of EV certificates) would be arguing against this UI change. Cheers, Sent with ProtonMail Secure Email. ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Friday, 16 August 2019 13:37, Doug Beattie via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > From: Ben laurieb...@google.com > Sent: Friday, August 16, 2019 9:33 AM > To: Doug Beattie doug.beat...@globalsign.com > Cc: Jonathan Rudenberg jonat...@titanous.com; Peter Gutmann > pgut...@cs.auckland.ac.nz; mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out of > the URL bar > > On Fri, 16 Aug 2019 at 14:31, Doug Beattie via dev-security-policy > <dev-security-policy@lists.mozilla.org > mailto:dev-security-policy@lists.mozilla.org > wrote: > > DB: Yes, that's true. I was saying that phishing sites don't use EV, not > that EV sites don't get phished > > Surely this shows that EV is not needed to make phishing work, not that EV > reduces phishing? > > [DB] It should show that users are safer when visiting an EV secured site. > > > -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > I am hiring! Formal methods, UX, SWE ... verified s/w and h/w. > #VerifyAllTheThings. > > https://g.co/u58vjr https://g.co/adjusu > > (Google internal) > > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
