Eric Mill writes:
>CAs should be careful about casually and dramatically overestimating the
>roadblocks that EV certificates present to attackers.
See also the screenshot I posted earlier. That was from a black-market web
site selling EV certificates to anyone with the stolen credit cards to
I think that the Phishing eventscount should focus on number of phishing events
per organization.
If the phishing event count was decreased after an organization start to use EV
certificate, the EV certificate should have some effect to reduce the phishing
event.
Thanks,
Robin Lin
>
Doug Beattie writes:
>So far I see is a number of contrived test cases picking apart small
>components of EV, and no real data to back it up.
See the phishing stats from any source you care to use. I've already
mentioned the APWG which I consider the premier source, and also linked to the
SSL
Doug Beattie writes:
>Do you have any empirical data to backup the claims that there is no benefit
>from EV certificates?
Uhhh... I don't even know where to start. We have over ten years of data and
research publications on this, and the lack of benefit was explicitly cited by
Google and
On Thu, 15 Aug 2019 22:11:37 +0200
Eric Rescorla via dev-security-policy
wrote:
> I expect this is true, but it seems to me that if anything it is an
> argument that EV doesn't provide security value, not the other way
> around: DV certificates are much cheaper to obtain than EV, and so
>
I'm told my previous message to this thread was flagged as spam for some of
the recipients. But it did get posted to the Google Group, so for those who
didn't get my previous reply, here it is:
https://groups.google.com/d/msg/mozilla.dev.security.policy/iVCahTyZ7aw/tO3k5ua0AQAJ
On Thu, Aug 15,
On Thursday, August 15, 2019 at 10:59:32 AM UTC-7, Doug Beattie wrote:
> So far I see is a number of contrived test cases picking apart small
> components of EV, and no real data to back it up. Mostly academic or
> irrelevant research, imho. Here are a couple of links posted in this thread:
>
On Thu, Aug 15, 2019 at 2:46 PM Doug Beattie via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Peter,
>
> Do you have any empirical data to backup the claims that there is no
> benefit
> from EV certificates? From the reports I've seen, the percentage of
> phishing and
My understanding of the days before EV was that the CAs themselves made up
the validation requirements for DV and because of this there was an uneven
validation requirements across the industry. EV was the first document
created to solve this and standardise validation requirements for a
On 8/15/2019 10:58 AM, Doug Beattie via dev-security-policy wrote:
So far I see is a number of contrived test cases picking apart small components
of EV, and no real data to back it up.
I also would like to see more evidence of problems. However, I have to
object to the idea that
Mostly
On Thu, Aug 15, 2019 at 1:59 PM Doug Beattie via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> So far I see is a number of contrived test cases picking apart small
> components of EV, and no real data to back it up. Mostly academic or
> irrelevant research, imho.
On Thu, Aug 15, 2019, 7:46 AM Doug Beattie via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Peter,
>
> Do you have any empirical data to backup the claims that there is no
> benefit
> from EV certificates? From the reports I've seen, the percentage of
> phishing and
On Thursday, August 15, 2019 at 7:30:46 AM UTC-4, Kurt Roeckx wrote:
> On Wed, Aug 14, 2019 at 11:52:46PM -0700, Daniel Marschall via
> dev-security-policy wrote:
> > In old Firefox, I get a green bar if I visit google.com and paypal.com,
> > telling me that this is a well-known company that got
Peter,
Do you have any empirical data to backup the claims that there is no benefit
from EV certificates? From the reports I've seen, the percentage of
phishing and malware sites that use EV is drastically lower than DV (which
are used to protect the cesspool of websites).
Doug
-Original
On Wed, Aug 14, 2019 at 11:52:46PM -0700, Daniel Marschall via
dev-security-policy wrote:
> In old Firefox, I get a green bar if I visit google.com and paypal.com,
> telling me that this is a well-known company that got the EV certificate.
> The other fake domains goog1e.com and paypa1.com only
Dear Daniel!
> Please tell me if I understand this correctly...
> Is it that DV and EV certificates now both show the same lock symbol?
> That would be a great harm in my opinion. And I do not understand why you
> want this change.
>
> I think EV is very important and I explain why.
>
> Let's
Please tell me if I understand this correctly...
Is it that DV and EV certificates now both show the same lock symbol?
That would be a great harm in my opinion. And I do not understand why you want
this change.
I think EV is very important and I explain why.
Let's look at following hypothetical
17 matches
Mail list logo
