Absolutely.. The lack of EV when I expect it doesn’t automatically mean to me that something is bad. It just puts me on high alert that something *might* be wrong. And I have never logged into a bank website from a mobile device, but my motivations for that go far beyond EV. (
On 12/15/17, 5:10 PM, "dev-security-policy on behalf of Gervase Markham via dev-security-policy" <dev-security-policy-bounces+tshirley=trustwave....@lists.mozilla.org on behalf of [email protected]> wrote: On 15/12/17 15:50, Tim Shirley wrote: > I don’t see how you can argue that the EV “seatbelt” breaks 100% of > the time. I know my bank uses an EV cert. Any time I come across a > site claiming to be my bank but lacking an EV cert, and my browser > shows me that distinction, is a time when the seatbelt saves me, > through that extra signal that alerts me that something isn’t right. Unless you are using a browser (e.g. a mobile browser) which doesn't show EV indicators, for UX choice or even technical reasons. So you need to know which browsers show EV in the first place. And then, if you are using Chrome, AIUI an OCSP failure will lead to a downgrade to no-EV, so you have to eliminate the possibility as well. As things stand, for better or worse, there are multiple circumstances where the EV indicator might not show even though it's your real bank. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://scanmail.trustwave.com/?c=4062&d=3si02jKZNwqUtn2hVjydIqPMOLUDydM3mvDvNdGwJA&s=5&u=https%3a%2f%2flists%2emozilla%2eorg%2flistinfo%2fdev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
