On Thursday, August 22, 2019 at 5:50:35 PM UTC-5, Ronald Crane wrote: > On 8/22/2019 1:43 PM, kirkhalloregon--- via dev-security-policy wrote: > > I can tell you that anti-phishing services and browser phishing filters > > have also have concluded that EV sites are very unlikely to be phishing > > sites and so are safer for users. > > Whatever the merits of EV (and perhaps there are some -- I'm not > convinced either way) this data is negligible evidence of them. A DV > cert is sufficient for phishing, so there's no reason for a phisher to > obtain an EV cert, hence very few phishing sites use them, hence EV > sites are (at present) mostly not phishing sites. > > -R
So you agree it's safe to assume with high probability that when I come across a site displaying an EV SSL, it's not a phishing site. I think that is one of the purposes of EV. Or should we remove the EV bling because phishing sites prefer to use DV? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy