> > See also the screenshot I posted earlier. That was from a black-market web > site selling EV certificates to anyone with the stolen credit cards to pay for > them. These are legit EV certs issued to legit companies, available off the > shelf for criminals to use. For a little extra payment you can get ones with > high SmartShield scores so your malware is instantly trusted by the victim's > PC. >
Peter, Are you referring to EV Code Signing certificates? I agree that needs to be addressed in another forum, but this discussion in on EV SSL/TLS and their value (or lack thereof) in the browser UI. Browsers do not support EV Code Signing in the UI as far as I know. It's been documented that EV Code Signing certificates are on the black market. Did you see the same thing for EV SSL/TLS? Leo > >The burden is not on the web browsers to prove that EV is detrimental to > >security - the burden is on third parties to prove that EV is beneficial. > > Yup, as per my previous post. We've got a vast amounts of data on this, if > there was a benefit to users then it shouldn't be hard to show that from the > data. > > Peter. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
