On Fri, 30 Aug 2019 12:02:42 -0500 Matthew Hardeman via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> What's not discussed in that mechanism is how Google decides what > pages are unsafe and when? Yes, but the point was to show what shape Safe Browsing API is, I guess I'd assumed this makes it obvious that EV doesn't really fit well but didn't spell that out properly. Google doesn't end up able to interrogate whether the site the user is visiting presented them an EV certificate. Indeed in most cases it will have no idea they visited a site, let alone which certificate was presented. But yes, it would be possible to use EV as an input to a manual process to create the list of phishing pages. It would also be possible to use astrology. If I were tasked with this I would not do either. Nick. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy