On Thu, Sep 05, 2019 at 03:38:24PM -0700, browserpadlock--- via dev-security-policy wrote: > On Thursday, September 5, 2019 at 12:16:13 PM UTC-4, Jonathan Rudenberg wrote: > > On Wed, Sep 4, 2019, at 14:53, browserpadlock--- via dev-security-policy > > wrote: > > > It seems that the Certificate Authorities are doing their jobs quite > > > well in regards to EV certs and making sure that it is very difficult > > > for non-qualified/verified sites to get them according to a recently > > > concluded study by Georgia Tech CyFI Lab > > > (https://www.helpnetsecurity.com/2019/08/01/ev-ssl-certificate/), a > > > well respected technical institution, NOT funded by the CA industry. > > > > This paper was paid for by Sectigo, this was clearly noted in their press > > release: > > https://sectigo.com/blog/new-research-in-ev-ssl-security-from-georgia-tech-ev-domains-99-99-free-of-online-crime > > > > The methodology is deeply flawed, for example these are some of the > > "malicious" domains from their dataset: > > > > extended-validation-ssl.websecurity.symantec.com > > hotmail.co.jp > > math.northwestern.edu > > downloads.comodo.com > > Thanks for the update Jonathan, the article I read didn't mention the > funding source, but the article wasn't the point of my post.
For something that wasn't the point of your post, it seems to have a very prominent position therein. > Bottom line, why strip out of view the only browser mechanism that > identifies the owner of a website? Because it doesn't provide any benefit commensurate with the costs. > Why not force the CA's to improve the EV validation process and create a > ubiquitous user experiences around EV across ALL browsers so that visitors > can begin to see the commonality of EV's purpose? Because there have been no plausible proposals made which meaningfully improve the EV validation process to address the flaws. > For the betterment of a safer and more trustworthy Internet, why digress > from the concept of web identity verification instead of trying to make it > better? Because "web identity verification", as embodied in EV, has not been shown to contribute to "the betterment of a safer and more trustworthy Internet". - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
