On Thursday, August 15, 2019 at 7:30:46 AM UTC-4, Kurt Roeckx wrote: > On Wed, Aug 14, 2019 at 11:52:46PM -0700, Daniel Marschall via > dev-security-policy wrote: > > In old Firefox, I get a green bar if I visit google.com and paypal.com, > > telling me that this is a well-known company that got the EV certificate. > > The other fake domains goog1e.com and paypa1.com only have DV certificates > > by Let's Encrypt. > > The green bar does not indicate that it's a well-known company. It > means someone payed for an EV certificate. The green bar does not > in any way say it's more secure or indicate that you're talking to > some trustworthy company. It only gives you a false sense of > security. > > > Kurt
That's a pretty disingenuous description of EV certificates. Whether they paid for it or not isn't the issue. It means that some entity applied for an EV certificate, the CA used the vetting methods described in the CA/B Forum EV guidelines (which were agreed to by CAs and browsers) to verify the domain, the company, the address, location, etc. Only after that is complete is an EV certificate issued. The CA was then audited against the work they did (in addition to assuring they meet physical, network and other audit requirements), annually. I have to agree with Jakob, it's remarkable that Mozilla would make such a drastic change with only a 2 day announcement and no discussion. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy