Good afternoon all,
I would like to chime in with my two cents, if allowed:
1. Users do not notice the absence of a positive indicator. There is ample
evidence, academic and otherwise. If users did notice the absence of a positive
indicator, it follows that phishing without an EV certificate
From: Ben Laurie
Sent: Friday, August 16, 2019 9:33 AM
To: Doug Beattie
Cc: Jonathan Rudenberg ; Peter Gutmann
; mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out of
the URL bar
On Fri, 16 Aug 2019 at 14:31, Doug
On Fri, 16 Aug 2019 at 14:31, Doug Beattie via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> DB: Yes, that's true. I was saying that phishing sites don't use EV, not
> that EV sites don't get phished
Surely this shows that EV is not needed to make phishing work, not that
On Fri, Aug 16, 2019, at 07:56, Doug Beattie via dev-security-policy wrote:
> Peter,
>
> I'm not claiming that EV reduces phishing globally, just for those sites
> that use them. Do you have a chart that breaks down phishing attacks by SSL
> certificate type?
>
> Here is some research that
From: Jonathan Rudenberg
Sent: Friday, August 16, 2019 9:04 AM
To: Doug Beattie ; Peter Gutmann
; mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out
of the URL bar
On Fri, Aug 16, 2019, at 07:56, Doug Beattie via
Peter,
I'm not claiming that EV reduces phishing globally, just for those sites
that use them. Do you have a chart that breaks down phishing attacks by SSL
certificate type?
Here is some research that indicates EV sites have a reduced phishing
percentage, so customers accessing EV protected
On Fri, 16 Aug 2019 13:31:08 +
Doug Beattie via dev-security-policy
wrote:
> DB: One of the reasons that phishers don't get EV certificates is
> because the vetting process requires several interactions and
> corporate repositories which end up revealing more about their
> identity. This
>
> See also the screenshot I posted earlier. That was from a black-market web
> site selling EV certificates to anyone with the stolen credit cards to pay for
> them. These are legit EV certs issued to legit companies, available off the
> shelf for criminals to use. For a little extra payment
On Thursday, August 15, 2019 at 10:59:32 AM UTC-7, Doug Beattie wrote:
> Yes, I work for a CA that issues EV certificates, but if there was no value
> in them, then our customers would certainly not be paying extra for them.
> Shouldn’t the large enterprises that see a value in identity (as
Thanks Tim, well written and I completely agree!
In this thread Issues have been raised about that EV validation is not
perfect and that criminals can obtain an EV certificate (if they reveal
their identity). I also agree that the validation can be improved, but as
Tim stated, that doesn't mean
Hi All,
This is Jason from the Microsoft PKI Services team. I’d like to add some
context to the note about the certs issued from the Microsoft RSA Root
Certificate Authority 2017. As you can see, these were all issued to a domain
registered to Microsoft. While these clearly violate the Subject
My apologies for not weighing in earlier, but like many others I was surprised
by this announcement and had to make time to craft this message around other
pressing demands. The original announcement above that the EV UI would be
removed in October cited authorities and articles that were in
Leo Grove via dev-security-policy
writes:
>Are you referring to EV Code Signing certificates? I agree that needs to be
>addressed in another forum, but this discussion in on EV SSL/TLS and their
>value (or lack thereof) in the browser UI. Browsers do not support EV Code
>Signing in the UI as
Honestly the issues, as I see them, are twofold:
1. When I visit a site for the first time, how do I know I should expect
an EV certificate? I am conscientious about subsequent visits, especially
financial industry sites.
2. The browsers seem to have a bias toward the average user, that user
Doug Beattie writes:
>One of the reasons that phishers don’t get EV certificates is because the
>vetting process requires several interactions and corporate repositories
>which end up revealing more about their identity. This leaves a trail back
>to the individual that set up the fake site
Corey Bonnell via dev-security-policy
writes:
>the effectiveness of the EV UI treatment is predicated on whether or not the
>user can memorize which websites always use EV certificates *and* no longer
>proceed with using the website if the EV treatment isn't shown. That's a huge
>cognitive
I don't know about other CAs, but at SSL.com we issue a very limited number of
EV SSL certificates in comparison to other certificates so it's not a big
revenue driver.
However, as a user I support EV SSL. I personally have never come across a scam
site that displayed an EV SSL (I'm not saying
On 17/08/2019 03:15, Peter Gutmann wrote:
Corey Bonnell via dev-security-policy
writes:
the effectiveness of the EV UI treatment is predicated on whether or not the
user can memorize which websites always use EV certificates *and* no longer
proceed with using the website if the EV treatment
Jakob Bohm via dev-security-policy
writes:
>Your legendary dislike for all things X.509 is showing.
My dislike for persisting mindlessly with stuff we already know doesn't work
is showing (see in particular the quote typically misattributed to Einstein
about the definition of insanity), and
On Fri, Aug 16, 2019 at 12:42:35PM -0700, tim--- via dev-security-policy wrote:
>
> By way of background, until recently almost all phishing and malware was on
> unencrypted http sites. They received a neutral UI, and the bad guys didn’t
> have to spend time and money getting a certificate,
I have a few more comments/annotations:
(1) Pro EV persons argue "Criminals have problems getting an EV certificate, so
most of them are using only DV certificates".
Anti EV persons argue "Criminals just don't use EV certificates, because they
know that end users don't look at the EV indicator
If one compares the first EV specification with the current EV
specification one will notice that the EV specification hasn't changed that
much during its lifetime. The issues presented during the last years though
research have been known about since the first adoption of the EV
specification. If
22 matches
Mail list logo