On Mon, Aug 26, 2019 at 5:39 AM Josef Schneider via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Am Sonntag, 18. August 2019 20:05:42 UTC+2 schrieb Ronald Crane: > > On 8/18/2019 12:39 AM, Leo Grove via dev-security-policy wrote: > > > Deploying a Stripe Inc EV SSL from a state other than CA is one thing, > but using an EV SSL in conjunction with a domain name and website with the > true intent to dupe potential customers is another matter. I'm trying to > get past the theoretical and get to real world instances. > > > > I don't understand the idea that the Stripe proof-of-concept is > > "theoretical". We know that phishing is epidemic, and we also know that > > phishers presently need -- at most -- a DV cert. The POC shows that -- > > should something cause phishers to need an EV cert -- they can also get > > one of those quickly and inexpensively. But why would a phisher bother > > with an EV cert if a DV cert works just as well? > > > The important question is can they get this without making them easily > traceable? > Sure I can register a company and get an EV certificate for that company. > But can I do this completely anonymous like getting a DV cert? > > How long do you think would it have taken for the police to come and get > Ian Carroll if he'd actually committed fraud? > > Nobody is arguing that EV certificates are perfect and everything is good > if you use them. But they do raise the bar for criminals. And in my > opinion, significantly. > > What I propose is for mozilla to not say "Fuck it, it's not working, just > remove it!" but instead try to focus on finding a better UX solution to the > problem that end users are not aware if a site that should have an EV > certificate is not presenting one. > > The counter-argument is that not all problems can be solved with UX, and getting browser users to recognize and respond to the lack of an EV indicator is in that class of unsolvable problems. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
