Peter, I'm not claiming that EV reduces phishing globally, just for those sites that use them. Do you have a chart that breaks down phishing attacks by SSL certificate type?
Here is some research that indicates EV sites have a reduced phishing percentage, so customers accessing EV protected sites are safer: https://cabforum.org/wp-content/uploads/23.-Update-on-London-Protocol.pdf -----Original Message----- From: Peter Gutmann <pgut...@cs.auckland.ac.nz> Sent: Thursday, August 15, 2019 10:03 PM To: Doug Beattie <doug.beat...@globalsign.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar Doug Beattie <doug.beat...@globalsign.com> writes: >Do you have any empirical data to backup the claims that there is no >benefit from EV certificates? Uhhh... I don't even know where to start. We have over ten years of data and research publications on this, and the lack of benefit was explicitly cited by Google and Mozilla as the reason for removing the EV bling... one example is the most obvious statistic, maintained by the Anti-Phishing Working Group (APWG), which show an essentially flat trend for phishing over the period of a year in which EV certificates were phased in, indicating that they had no effect whatsoever on phishing. There's endless other stats showing that the trend towards security is negative, i.e. it's getting worse every year, here's some five-year stats from a quick google: https://www.thesslstore.com/blog/wp-content/uploads/2019/05/Phishing-by-Year .png If EV certs had any effect at all on security we'd have seen a decrease in phishing/increase in security. There is one significant benefit from EV certificates, which I've already pointed out, which is to the CAs selling them. So when I say "there's no benefit" I mean "there's no benefit to end users", which is who the certificates are putatively helping. Peter.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy