If you look at where the HTTPS phishing certificates come from, they come almost entirely from Let's Encrypt and Comodo.
This is perhaps the best argument in favor of distinguishing between CAs that care about phishing and those that don't. -Tim > -----Original Message----- > From: dev-security-policy [mailto:dev-security-policy- > bounces+tim.hollebeek=digicert....@lists.mozilla.org] On Behalf Of Peter > Gutmann via dev-security-policy > Sent: Wednesday, December 13, 2017 4:23 PM > To: Gervase Markham <g...@mozilla.org>; mozilla-dev-security- > pol...@lists.mozilla.org; Tim Shirley <tshir...@trustwave.com> > Subject: Re: On the value of EV > > Tim Shirley via dev-security-policy <dev-security-policy@lists.mozilla.org> > writes: > > >But regardless of which (or neither) is true, the very fact that EV > >certs are rarely (never?) used on phishing sites > > There's no need: > > https://info.phishlabs.com/blog/quarter-phishing-attacks-hosted-https- > domains > > In particular, "the rate at which phishing sites are hosted on HTTPS pages is > rising significantly faster than overall HTTPS adoption". > > It's like SPF and site security seals, adoption by spammers and crooks was > ahead of adoption by legit users because the bad guys have more need of a > signalling mechanism like that than anyone else. > > Peter. > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
