On Thursday, August 29, 2019 at 6:15:44 PM UTC-7, Ryan Sleevi wrote: > On Thu, Aug 29, 2019 at 8:54 PM Kirk Hall via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > What the heck does it mean when sometimes you say you are posting "in a > > personal capacity" and sometimes you don't? > > > It sounds like you were very prescient in your inability to remember > things, as you mentioned at > https://groups.google.com/d/msg/mozilla.dev.security.policy/cCeLZuxAOvQ/iM1cbmxjDgAJ > > Hope that helps explain how things work. I sometimes include it to help jog > the memory of folk who tend to forget, so sorry that the extra reminder > sounds like it might have confused you. > > > > does GSB use any EV certificate identity data in its phishing algorithms. > > My understanding is that the answer is yes, > > > > That's a good question, but I'm not sure where your understanding came > from! I was hoping you could share more, since that would definitely be the > easiest way to confirm it. It sounds like you're not sure, and you don't > have any evidence handy. If you can find out more information, can you > report back? It seems like you have some contacts or some information that > led you to your conclusion, I'm sure there is no one more effective or > efficient at finding an answer than you. > > I've never heard of that, so of course, I wouldn't know where to start. On > the other hand, if you're not sure, it might be clearer not to definitively > state that's how things work, or presume they work? That might make it a > bit clearer about what's real and what's imagined, in case you're just > misremembering things. After all, if you don't know, and I don't know, and > no one else here knows, maybe it's worth focusing on the things we do know > instead of speculating? > > The information I have about use of EV identity data for anti-phishing > > algorithms was all provided in private communications, so I would not be > > able to name any names without permission. I have already emailed two > > people about this, > > > > Great! Then it sounds like we're on track to having you report back once > you know more. I look forward to hearing how they've solved this, as it > sounds like EV might have be valuable even when the UI isn't shown. That > would be great validation that you don't need to show prominent UI to get > user benefit.
OK, I'll try one last time to see if you are willing to share Google information that you have with this group on the question at hand (Do browser phishing filters and anti-virus apps use EV data in their anti-phishing algorithms). This is super easy, and doesn't even require you to do any work, like contacting Google Safe Browsing and asking them to participate in this conversation. Here's the question, and all I'm asking you to do is answer "Yes," "No," or "I Don't Know" **Based on your personal knowledge, does Google Safe Browsing use any EV certificate Subject information in its anti-phishing algorithms?** This will be useful information to everyone on this list. Thanks for your cooperation. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
