Last week I posted reasons why Mozilla shouldn’t remove the EV UI from Firefox.
In addition to the discussion on how the EV UI can inform users when a website
does or does not have confirmed identity before they choose to type in their
password or credit card number (after a little user training), I also mentioned
that EV certificate Subject information (organization name, etc.) is currently
used by browser phishing filters and by anti-phishing services. I was then
asked to corroborate that, and so I have communicated with some of our sources
(the Labor Day holiday has slowed things down) to ask them for an authorized
statement.
As some have suggested on this list, there may be reluctance by some services
that use EV cert data to repeat on a public list what they have told us in
private over the years both for competitive reasons and also to avoid giving
phishers clues as to how to beat their algorithms.
However, I did receive authority to post the following statement from someone
who works for a major browser phishing filter (but without disclosing the
person's name or company). Here is the authorized statement:
“A browser phishing filter representative has confirmed that (1) their
research teams do look at EV certificate attributes and do feel there is signal
there for phish/malware detection, and (2) they would like to have continued
access to this EV data.”
I think this establishes the point I made last week – that EV data is valuable
for anti-phishing efforts and so EV should be supported by the browsers. I’m
still concerned that removing the EV UI in Firefox could cause some EV sites to
stop using EV certificates which in turn would eliminate the availability of
their EV website data from the security ecosystem. This possible adverse
outcome should be considered by Mozilla before it removes its EV UI.
If and when I am authorized to post more statements from others, I will.
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
