On 24/08/2019 05:55, Tom Ritter wrote:
On Fri, 23 Aug 2019 at 22:53, Daniel Marschall via dev-security-policy
<[email protected]> wrote:
Am Freitag, 23. August 2019 00:50:35 UTC+2 schrieb Ronald Crane:
On 8/22/2019 1:43 PM, kirkhalloregon--- via dev-security-policy wrote:
Whatever the merits of EV (and perhaps there are some -- I'm not
convinced either way) this data is negligible evidence of them. A DV
cert is sufficient for phishing, so there's no reason for a phisher to
obtain an EV cert, hence very few phishing sites use them, hence EV
sites are (at present) mostly not phishing sites.
Can you proove that your assumption "very few phishing sites use EV (only) because
DV is sufficient" is correct?
As before, the first email in the thread references the studies performed.
The (obviously outdated) studies quoted below were NOT referenced by the
first message in this thread. The first message only referenced two
highly unpersuasive demonstrations of the mischief possible in
controlled experiments.
<https://www.typewritten.net/writer/ev-phishing/> and
<https://stripe.ian.sh/> both took advantage of weaknesses in two
government registries to create actual dummy companies with misleading
names, then trying to get EV certs for those (with mixed success, as at
least some CAs rejected or revoked the certs despite the government
failures). At least the first of those demonstrations involved a no
longer trusted CA (Symantec). Both demonstrations caused the
researchers real name and identity to become part of the CA record,
which was hand waved away by claiming that could have been avoided by
criminal means.
Studies quoted by Tom Ritter on 24/08/2019:
"By dividing these users into three groups, our controlled study
measured both the effect of extended validation certificates that
appear only at legitimate sites and the effect of reading a help file
about security features in Internet Explorer 7. Across all groups, we
found that picture-in-picture attacks showing a fake browser window
were as effective as the best other phishing technique, the homograph
attack. Extended validation did not help users identify either
attack."
https://www.adambarth.com/papers/2007/jackson-simon-tan-barth.pdf
12 years old study involving en equally outdated browser.
"Our results showed that the identity indicators used in the
unmodified FF3browser did not influence decision-making for the
participants in our study interms of user trust in a web site. These
new identity indicators were ineffectivebecause none of the
participants even noticed their existence."
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.543.2117&rep=rep1&type=pdf
An undated(!) study involving highly outdated browsers. No indication
this was ever in a peer reviewed journal.
DV is sufficient. Why pay for something you don't need?
Unproven claim, especially by studies from before free DV without
traceable credit card payments became the norm.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
