Am Sonntag, 1. September 2019 04:27:04 UTC+2 schrieb Peter Gutmann: > Since the value to criminals of EV web certs is low, it seems they're not > doing much to stop what the criminals are doing. If they did have any value > then criminals would be prepared to pay more for them, like they already do > for EV code-signing certs.
But the target audience for phishing are uninformed people. People which have no idea what a EV cert is. People who don't even blink if the English on the phishing page is worse than a 5-year old could produce. You cannot base the decision if a EV indication in the browser is useful on those people. Same as you all, I don't have any “official” data to base these beliefs on. But for example there are studies which conclude that email scammers intentionally use unbelievable stories and bad grammar. Why do they do this? Because sending mails is free but interacting with replies is costly. They only want the most gullible people to answer in the first place. In the same way, I argue, even if criminals would create scam websites with EV certificates, fewer people would notice immediately that the page is wrong. But this people are not the target group of the scammer anyway. This are the users that are already aware of the dangers on the internet. If they wouldn't leave the page because of the missing EV certificate, they would most likely find another sign that the page is fake and still leave. The reason why criminals don't need EV certificates is: The people caring about EV indicators are not their target group. The problem is that the data actually needed is missing and many here just use the easily available data and pretend it is possible to draw any valid conclusions from that. The data we would need is: How many people do leave a malicious webpage because the EV indicator is missing? The only data I have seen here is: (Estimated) how many people do enter their data in malicious websites. It is just simply not possible to draw any information about the first question from answers to the second. Using the same logic applied by many in favor of removing the EV indication one could argue against almost anything. E.g. for arguing against DUI laws: 1. Find a point in time when no DUI laws existed in a jurisdiction and there were fewer cases of drunk drivers than now. (trivial, because at some time there even where fewer drivers in total than drunk drivers now) 2. Argue that the DUI laws obviously don't prevent drunk driving, because not only are there still people driving drunken, but there are even a lot more of them than at the time found in 1. I hope no one would believe that drunk driving wouldn't increase a lot if the laws were removed now. For the EV indicator, we just don't know how many people prevented being scammed because of this. And removing a security feature because we don't know if it is successful is a dangerous thing to do. The better way would be to find out if it is really so useless as argued by some here. If it is that obvious that it is not helping, producing this data should be an easy task. But the information “some people fall for scams with DV certificates” is not the right information to decide this. The interesting people are the ones NOT falling for a scam because it is using a DV certificate and I haven't seen anyone giving any data about them here. - Josef _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
