On Fri, 23 Aug 2019 at 05:00, Leo Grove via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > > On Thursday, August 22, 2019 at 5:50:35 PM UTC-5, Ronald Crane wrote: > > On 8/22/2019 1:43 PM, kirkhalloregon--- via dev-security-policy wrote: > > > I can tell you that anti-phishing services and browser phishing filters > > > have also have concluded that EV sites are very unlikely to be phishing > > > sites and so are safer for users. > > > > Whatever the merits of EV (and perhaps there are some -- I'm not > > convinced either way) this data is negligible evidence of them. A DV > > cert is sufficient for phishing, so there's no reason for a phisher to > > obtain an EV cert, hence very few phishing sites use them, hence EV > > sites are (at present) mostly not phishing sites. > > > > -R > > So you agree it's safe to assume with high probability that when I come > across a site displaying an EV SSL, it's not a phishing site. I think that is > one of the purposes of EV. > > Or should we remove the EV bling because phishing sites prefer to use DV?
Correlation does not imply causation. There are studies that show phishing sites tend not to be EV - yes. That's a correlation. If we studied phishing sites and domain name registration fees I'm sure we'd find a correlation there too - I'd bet the .cfd TLD (which apparently costs $16K to register) has a low incident of pishing as well. There are also studies that indicate users don't pay attention to the (positive) security indicators. To phish users, it's unnecessary to get an EV indicator vs a DV indicator. The simpler explanation for the correlation is that EV is more expensive (both in direct cost, and in effort to get misleading documents), so why would you pay for something you don't need? -tom _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
