On Fri, Aug 16, 2019 at 12:42:35PM -0700, tim--- via dev-security-policy wrote:
> That’s where EV certificates can help. Data shows that websites with EV
> certificates have a very low incidence of phishing.
[...]
> This research validates the results of an earlier study of 3,494 encrypted
> phishing sites in February 2019 [5]. In this study the distribution of
> encrypted phishing sites by certificate type was as follows:
>
> EV 0 phishing sites (0%)
If you replace "EV" in the above with "WombleSecure(TM)(PatPend) security
seal", it is equally as true, and equally irrelevant. It's the old "tiger
repelling rock" spiel ("Do you see any tigers around? See, it works
great!") with a splash of X.509 for flavour.
It is not the hardest problem in science to design and execute an experiment
to demonstrate EV's efficacy. At the most basic level, it could be "here is
a site that was receiving X reports of users being phished per month, they
deployed an EV cert and their report rate went down to Y per month, here are
the confounding factors we considered and here's why they weren't the
cause". Increase the number of sites to improve power as needed.
That no EV-issuing CA has published the results of such an experiment, given
the large revenues it would protect, and the strong signalling that browsers
have been making over (at least) the last several years, the most plausible
explanation to me is that EV-issuing CAs *have* done the experiments, and
they didn't show anything, so in the finest traditions of
commercially-motivated science, they just buried it. The other option is
that the management EV-issuing CAs are just clueless, which is possible, but
not really any more comforting.
- Matt
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
