On Mon, Aug 26, 2019, at 15:01, Jakob Bohm via dev-security-policy wrote: > <https://www.typewritten.net/writer/ev-phishing/> and > <https://stripe.ian.sh/> both took advantage of weaknesses in two > government registries to create actual dummy companies with misleading > names, then trying to get EV certs for those (with mixed success, as at > least some CAs rejected or revoked the certs despite the government > failures).
There were no "weaknesses" or "government failures" here, everything was operating exactly as designed. > At least the first of those demonstrations involved a no > longer trusted CA (Symantec). This doesn't appear to be relevant. The process followed was compliant with the EVGLs, and Symantec was picked because they were one of the most popular CAs at the time. > Both demonstrations caused the > researchers real name and identity to become part of the CA record, > which was hand waved away by claiming that could have been avoided by > criminal means. It's not handwaving to make the assertion that a fraudster would be willing to commit fraud while committing fraud. Can you explain why you think this argument is flawed? > Studies quoted by Tom Ritter on 24/08/2019: > > > > > "By dividing these users into three groups, our controlled study > > measured both the effect of extended validation certificates that > > appear only at legitimate sites and the effect of reading a help file > > about security features in Internet Explorer 7. Across all groups, we > > found that picture-in-picture attacks showing a fake browser window > > were as effective as the best other phishing technique, the homograph > > attack. Extended validation did not help users identify either > > attack." > > > > https://www.adambarth.com/papers/2007/jackson-simon-tan-barth.pdf > > > > 12 years old study involving en equally outdated browser. Can you explain why you believe the age this study is disqualifying? What components of the study do you believe are no longer valid due to their age? Are you aware of subsequent studies showing different results? > > "Our results showed that the identity indicators used in the > > unmodified FF3browser did not influence decision-making for the > > participants in our study interms of user trust in a web site. These > > new identity indicators were ineffectivebecause none of the > > participants even noticed their existence." > > > > http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.543.2117&rep=rep1&type=pdf > > > > An undated(!) study involving highly outdated browsers. No indication > this was ever in a peer reviewed journal. This is a peer-reviewed paper that was published in the proceedings of ESORICS 2008: 13th European Symposium on Research in Computer Security, Málaga, Spain, October 6-8, 2008. Dates are actually (unfortunately) uncommon on CS papers unless the publication metadata/frontmatter is intact. > > DV is sufficient. Why pay for something you don't need? > > > > Unproven claim, especially by studies from before free DV without > traceable credit card payments became the norm. I don't follow your argument here. The evidence shows that DV is sufficient for phishing, as has been repeatedly explained on this thread. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
