On 8/23/2019 6:41 AM, Tom Ritter via dev-security-policy wrote:
On Fri, 23 Aug 2019 at 05:00, Leo Grove via dev-security-policy
<[email protected]> wrote:
On Thursday, August 22, 2019 at 5:50:35 PM UTC-5, Ronald Crane wrote:
On 8/22/2019 1:43 PM, kirkhalloregon--- via dev-security-policy wrote:
I can tell you that anti-phishing services and browser phishing filters have
also have concluded that EV sites are very unlikely to be phishing sites and so
are safer for users.
Whatever the merits of EV (and perhaps there are some -- I'm not
convinced either way) this data is negligible evidence of them. A DV
cert is sufficient for phishing, so there's no reason for a phisher to
obtain an EV cert, hence very few phishing sites use them, hence EV
sites are (at present) mostly not phishing sites.
-R
So you agree it's safe to assume with high probability that when I come across
a site displaying an EV SSL, it's not a phishing site. I think that is one of
the purposes of EV.
Or should we remove the EV bling because phishing sites prefer to use DV?
Correlation does not imply causation.
There are studies that show phishing sites tend not to be EV - yes.
That's a correlation.
If we studied phishing sites and domain name registration fees I'm
sure we'd find a correlation there too - I'd bet the .cfd TLD (which
apparently costs $16K to register) has a low incident of pishing as
well.
I agree. Also, we really should be interested in what proportion of
legitimate EV sites are being impersonated, versus what proportion of
legitimate OV/DV sites are being impersonated. We also should be
interested in what happens when a legitimate site moves from OV/DV to
EV, or vice versa. Those stats would tell us something about EV's
effectiveness.
...To phish users, it's unnecessary to
get an EV indicator vs a DV indicator. The simpler explanation for the
correlation is that EV is more expensive (both in direct cost, and in
effort to get misleading documents), so why would you pay for
something you don't need?
Yep.
-R
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
