On Thu, Dec 14, 2017 at 5:01 PM Jakob Bohm via dev-security-policy < [email protected]> wrote:
> On 14/12/2017 00:23, Peter Gutmann wrote: > > Tim Shirley via dev-security-policy < > [email protected]> writes: > > > >> But regardless of which (or neither) is true, the very fact that EV > certs are > >> rarely (never?) used on phishing sites > > > > There's no need: > > > > > https://info.phishlabs.com/blog/quarter-phishing-attacks-hosted-https-domains > > > > In particular, "the rate at which phishing sites are hosted on HTTPS > pages is > > rising significantly faster than overall HTTPS adoption". > > > > But how many of those are on *EV-certified https URLs* is the question > raised here. No, it isn’t. In particular, some participants insist there are many of those, but > have yet to post even a single concrete example, let alone statistics of > how many such examples exist. Could you point to such an example where a participant insisted that? Or is that merely a straw man argument used to advance a logically flawed position? Some participants have pointed out correlation is not causation - that you can’t infer that never being attacked by a tiger while you’re holding a particular rock means that the rock repels tigers, anymore than EV UI prevents phishing. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
