Tim Shirley via dev-security-policy <dev-security-policy@lists.mozilla.org> writes:
>But regardless of which (or neither) is true, the very fact that EV certs are >rarely (never?) used on phishing sites There's no need: https://info.phishlabs.com/blog/quarter-phishing-attacks-hosted-https-domains In particular, "the rate at which phishing sites are hosted on HTTPS pages is rising significantly faster than overall HTTPS adoption". It's like SPF and site security seals, adoption by spammers and crooks was ahead of adoption by legit users because the bad guys have more need of a signalling mechanism like that than anyone else. Peter. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy