On Tue, Sep 03, 2019 at 06:16:23PM -0700, Kirk Hall via dev-security-policy
wrote:
> However, I did receive authority to post the following statement from
> someone who works for a major browser phishing filter (but without
> disclosing the person's name or company). Here is the authorized
> statement:
>
> āA browser phishing filter representative has confirmed that (1) their
> research teams do look at EV certificate attributes and do feel there
> is signal there for phish/malware detection, and (2) they would like
> to have continued access to this EV data.ā
>
> I think this establishes the point I made last week ā that EV data is
> valuable for anti-phishing efforts and so EV should be supported by the
> browsers.
I think you're overstating the case somewhat. The statement you quoted
establishes that EV data is *used* for anti-phishing efforts. It certainly
says nothing in support of the assertion that EV should be supported by
browsers. It also doesn't address the concerns that Ryan put forward
regarding the advisability of using EV data for anti-phishing.
> Iām still concerned that removing the EV UI in Firefox could cause some EV
> sites to stop using EV certificates which in turn would eliminate the
> availability of their EV website data from the security ecosystem. This
> possible adverse outcome should be considered by Mozilla before it removes
> its EV UI.
Mozilla should do what is best for the users of Mozilla products[1]. Asking
Mozilla to carry a feature in Firefox that is of zero-to-negative value to
Firefox users, so as to provide benefits to anti-phishing systems, is as
nonsensical as asking Mozilla to do the same purely to provide revenue
benefits to CAs.
If EV information is of use in anti-phishing efforts, then it would be best
for the providers of anti-phishing services to team up with CAs to describe
the advantages of continuing to provide an EV certificate. If site owners,
who are presumably smart people with significant technical skills making
decisions on a rational basis, don't see the benefits (after a little
training), perhaps you should accept their decision, even if you disagree
with them or have a different commercial interest.
- Matt
[1] within the context of the use of Mozilla products, at any rate. I'm
sure it would be best for the users of Mozilla products if everyone
using Firefox got a million dollars and a pony, but I hope nobody's
going to start agitating for Mozilla to get into the equine distribution
game.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
