Kirk Hall via dev-security-policy <dev-security-policy@lists.mozilla.org> writes:
>does GSB use any EV certificate identity data in its phishing algorithms. Another way to think about this this is to look at it from the criminals' perspective: What's the value to criminals? To use a silly example, the value to criminals of an unregistered handgun is quite high, while the value to criminals of a plastic water pistol is negligible. We know from black-market EV-cert vendors that the value of an EV code-signing cert to criminals is high, and one with reputation attached is even higher because it gets you instant malware execution with no warnings from anti-malware software. OTOH the value to criminals of EV web site certs appears to be low to nonexistent because the sites selling them advertise them as also-rans, "we've also got some of these if you want them", they barely feature. Since the value to criminals of EV web certs is low, it seems they're not doing much to stop what the criminals are doing. If they did have any value then criminals would be prepared to pay more for them, like they already do for EV code-signing certs. Peter. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
