On Fri, 23 Aug 2019 at 22:53, Daniel Marschall via dev-security-policy <[email protected]> wrote: > > Am Freitag, 23. August 2019 00:50:35 UTC+2 schrieb Ronald Crane: > > On 8/22/2019 1:43 PM, kirkhalloregon--- via dev-security-policy wrote: > > > > Whatever the merits of EV (and perhaps there are some -- I'm not > > convinced either way) this data is negligible evidence of them. A DV > > cert is sufficient for phishing, so there's no reason for a phisher to > > obtain an EV cert, hence very few phishing sites use them, hence EV > > sites are (at present) mostly not phishing sites. > > Can you proove that your assumption "very few phishing sites use EV (only) > because DV is sufficient" is correct?
As before, the first email in the thread references the studies performed. "By dividing these users into three groups, our controlled study measured both the effect of extended validation certificates that appear only at legitimate sites and the effect of reading a help file about security features in Internet Explorer 7. Across all groups, we found that picture-in-picture attacks showing a fake browser window were as effective as the best other phishing technique, the homograph attack. Extended validation did not help users identify either attack." https://www.adambarth.com/papers/2007/jackson-simon-tan-barth.pdf "Our results showed that the identity indicators used in the unmodified FF3browser did not influence decision-making for the participants in our study interms of user trust in a web site. These new identity indicators were ineffectivebecause none of the participants even noticed their existence." http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.543.2117&rep=rep1&type=pdf DV is sufficient. Why pay for something you don't need? -tom _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
