On Fri, Dec 15, 2017 at 10:30:41PM +0000, Tim Shirley via dev-security-policy wrote: > I’m saying “can” be spoofed is different than “is” being spoofed.
How do you know your bank's EV UI element has never been spoofed? Have you, every single time you've made an HTTPS request to your bank's website, validated that the certificate presented for that TLS connection contains the full and complete details of your bank, rather than a certificate which contains the same displayed details, but differs in another element? If you haven't done that, then you cannot say for certain that you've not encountered such spoofing -- merely that you haven't *noticed* said spoofing. Which nicely demonstrates the insufficiency of the current EV UI. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy