> On Oct 8, 2019, at 4:19 AM, carsten.mueller.gl--- via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > >> But the target audience for phishing are uninformed people. People which >> have no idea what a EV cert is. People who don't even blink if the English >> on the phishing page is worse than a 5-year old could produce. >> >> You cannot base the decision if a EV indication in the browser is useful on >> those people. >> > The discussions that many users don't even recognize the difference between > EV/OV/DV certificates is unfortunately true, BUT forced by the browsers: > > When EV certificates were introduced, each browser displayed a green address > bar including the company name and the country abbreviation of the > certificate applicant. > Gradually the green colouring of the address bar was removed and only the > company name and country abbreviation were displayed in green. > To top it all off, the lock symbol of ALL certificates was displayed in green > to make the confusion of the users perfect. > Google Chrome also removed the green color of the company name. > > Each browser then had a different display of all certificate types at short > intervals. > > > In the early days of EV certificates, it was easy for me to tell my mother > and " uninformed" friends that they should pay attention to the green address > bar and the company name displayed there, and if possible not make any > purchases or data inputs at all on other sites. > > It was so simple: green address bar + some intelligence > 99% security > > Today: > - no normal user can display the contents of certificates > - no normal user can recognize which certificate types are actually involved > > > Of course, you can never be 100% sure that when calling a website with an EV > certificate: > - no one has stolen the certificate > - another company with a similar name operates a phishing site > However, the effort to do this is so much higher that it is hardly worth it, > see below. > > > Also it is pointed out here again and again that EV certificates are so > insecure, because e.g. a certificate for https://stripe.ian.sh was issued for > Stripe, Inc located in Kentucky and was displayed by the browsers exactly > like the EV certificate from Stripe, Inc. > This is not a reason for abolishing EV certificates, but rather a reason to > talk about the UI of the known browsers. > Each EV certificate lists both the location of the company and the registry. > Therefore, you can also display "Fima/State/Country" in the address bar of > the browser. > > In addition, it is still much more complicated to operate a fake website with > an EV certificate (I come from Germany, therefore related to Germany): > - Foundation of a corporation (GmbH): > o min 15.000,- EUR > o Appearance of at least one person at a notary and verification of all data > o Verification of all data by commercial register > - Application for EV certificate > > I would like to link to a study on the use of EV certificates for phishing: > https://sectigo.com/uploads/resources/Understanding-the-Role-of-Extended-Validation-Certificates-in-Internet-Abuse.pdf > > If the formation of a corporation in other countries is > faster/simpler/cheaper, it still does not contribute to abuse. > > > My opinion: > EV certificates are not 100% secure, BUT they increase security enormously. > > > Why do browsers want to make the Internet less secure? Instead of abolishing > the EV indicators, they should rather be fully activated again, including the > green address bar. > > Carsten
[PW] Very well said Carsten. I’d like to add something that bugs more more than anything else - it’s hypocrisy. “Read this blog post - it proves that it’s possible to trick the system to get an EV Certificate. It doesn’t matter if it has never happened. EV is broken. Let’s get rid of all website identity.” AND “It doesn’t matter if Let’s Encrypt has issued 14,000+ DV certs to domains with PayPal - we believe every website needs to be encrypted. And Let’s Encrypt isn’t responsible for phishing." Can Mozilla please reconcile these two assertions? I still can’t get my head around it. - Paul > > > Translated with www.DeepL.com/Translator > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
