> > Correlation does not imply causation. > > There are studies that show phishing sites tend not to be EV - yes. > That's a correlation. > > If we studied phishing sites and domain name registration fees I'm > sure we'd find a correlation there too - I'd bet the .cfd TLD (which > apparently costs $16K to register) has a low incident of pishing as > well. > > There are also studies that indicate users don't pay attention to the > (positive) security indicators. To phish users, it's unnecessary to > get an EV indicator vs a DV indicator. The simpler explanation for the > correlation is that EV is more expensive (both in direct cost, and in > effort to get misleading documents), so why would you pay for > something you don't need? > > -tom
I find this to a bit of a false equivalency. Put another way, if EV was just as easy to obtain (in terms of cost and effort) as DV, everything else being equal, would phishing scammers still prefer DV over EV? Could the same be said about .cfd vs .com or .io? My guess is that phishing sites would have more success, however incremental, (especially on high value sites such as banking) displaying EV UI, and the opposite would happen on a .cfd domain. In fact, one of the arguments against EV was that it gave a false sense of security to would-be victims. If I'm a scammer, that's what I want for my phishing site. It does come down to cost vs benefit in the world of phishing economics. The incremental boost of an EV indicator is just not worth the expense in comparison with DV to most scammers. Now that the EV UI is going away, this is one less concern they will need to bother with. I don't think they're sad about this. So I do see causation to low adoption of EV on phishing sites. But since DV is good enough for most run-of-the-mill scam sites, that's the common path. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
