Ka-Ping Yee wrote:
How sure can we be that this is the reason phishers don't use SSL?
Why do people not do anything? Because they don't need to. Phishers don't use SSL because non-SSL phishing is easier and makes them enough money. One reason non-SSL phishing is easier is because we've made little concerted effort to educate users to check for SSL. And the reason for that is because the lock is built on sand.
Careful! EV is NOT a "trust indicator", as you have been pointing out, and as the EV guidelines emphasize. This is more like a "legally suable entity indicator" (if i understand right -- i encourage you to find a name for it that is both accurate and less awkward than mine!)
It's an indicator which means that "bad things are substantially less likely to happen putting your credit card number in here than in a site without an EV cert". That fits most colloquial definitions of trustworthiness.
Gerv _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
