I'm told my previous message to this thread was flagged as spam for some of the recipients. But it did get posted to the Google Group, so for those who didn't get my previous reply, here it is:
https://groups.google.com/d/msg/mozilla.dev.security.policy/iVCahTyZ7aw/tO3k5ua0AQAJ On Thu, Aug 15, 2019 at 1:59 PM Doug Beattie via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > So far I see is a number of contrived test cases picking apart small > components of EV, and no real data to back it up. Mostly academic or > irrelevant research, imho. Here are a couple of links posted in this > thread: > > > > https://www.typewritten.net/writer/ev-phishing/: This post is intended > for a technical audience interested in how an EV SSL certificate can be > used as an effective phishing device <but no evidence this is a real world > security concern> > > > > https://stripe.ian.sh/: EV certificates with colliding entity names can > be generated, but to date, I don’t know of any real attacks, just this > academic exercise. And how much did it cost and how long did it Ian to get > certificates to perform this experiment? Way more time and money that a > phisher would invest. > > > > > https://chromium.googlesource.com/chromium/src/+/HEAD/docs/security/ev-to-page-info.md > references a number of studies. But none of them indicated that EV was bad > or misleading or was a detriment to security, and a number of the > references weren’t even related to EV (including irrelevant research links > to bolster their claims to the uninformed) > > > > I haven’t been counting the number of pro and cons emails, but there are a > significant number of organizations questioning the changes by Google and > Mozilla. Mozilla and Google should reconsider their proposed changes. > > > > Yes, I work for a CA that issues EV certificates, but if there was no > value in them, then our customers would certainly not be paying extra for > them. Shouldn’t the large enterprises that see a value in identity (as > does GlobalSign) drive the need for ending EV certificates? With Google > and Mozilla being prominent Lets Encrypt sponsors we know their intent is > to drive business to them vs. any of the commercially respectable CAs. > It’s actually counter productive to security to sponsor a CA that issues so > many certificates to phishing and malware sites without any consequences. > Is this to increase the value of their malware site detection services? > Maybe.. > > * https://www.usenix.org/system/files/soups2019-drury.pdf > * > https://cabforum.org/wp-content/uploads/23.-Update-on-London-Protocol.pdf > > > > Baffled… > > > > > > > > From: Tom Ritter <t...@ritter.vg> > Sent: Thursday, August 15, 2019 1:13 PM > To: Doug Beattie <doug.beat...@globalsign.com> > Cc: Peter Gutmann <pgut...@cs.auckland.ac.nz>; MozPol < > mozilla-dev-security-pol...@lists.mozilla.org> > Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out > of the URL bar > > > > > > On Thu, Aug 15, 2019, 7:46 AM Doug Beattie via dev-security-policy < > dev-security-policy@lists.mozilla.org <mailto: > dev-security-policy@lists.mozilla.org> > wrote: > > Peter, > > Do you have any empirical data to backup the claims that there is no > benefit > from EV certificates? From the reports I've seen, the percentage of > phishing and malware sites that use EV is drastically lower than DV (which > are used to protect the cesspool of websites). > > > > I don't doubt that at all. However see the first email in this thread > citing research showing that users don't notice the difference. > > > > > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > -- Eric Mill 617-314-0966 | konklone.com | @konklone <https://twitter.com/konklone> _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
