Am Freitag, 23. August 2019 00:50:35 UTC+2 schrieb Ronald Crane: > On 8/22/2019 1:43 PM, kirkhalloregon--- via dev-security-policy wrote: > > Whatever the merits of EV (and perhaps there are some -- I'm not > convinced either way) this data is negligible evidence of them. A DV > cert is sufficient for phishing, so there's no reason for a phisher to > obtain an EV cert, hence very few phishing sites use them, hence EV > sites are (at present) mostly not phishing sites.
Can you proove that your assumption "very few phishing sites use EV (only) because DV is sufficient" is correct? I do think the truth is "very few phishing sites use EV, because EV is hard to get". I do not think EV certificates are easy to get. The black market stories are probably more about code signing certificates, I guess. And even if you would find an EV SSL certificate on the black market, then it would be revoked as soon as it is used, and that organization will never get an EV certificate again. So the harm that black market certificates (if there are any at all...) is very small! _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
