On Wed, Sep 4, 2019, at 14:53, browserpadlock--- via dev-security-policy wrote: > It seems that the Certificate Authorities are doing their jobs quite > well in regards to EV certs and making sure that it is very difficult > for non-qualified/verified sites to get them according to a recently > concluded study by Georgia Tech CyFI Lab > (https://www.helpnetsecurity.com/2019/08/01/ev-ssl-certificate/), a > well respected technical institution, NOT funded by the CA industry.
This paper was paid for by Sectigo, this was clearly noted in their press release: https://sectigo.com/blog/new-research-in-ev-ssl-security-from-georgia-tech-ev-domains-99-99-free-of-online-crime The methodology is deeply flawed, for example these are some of the "malicious" domains from their dataset: extended-validation-ssl.websecurity.symantec.com hotmail.co.jp math.northwestern.edu downloads.comodo.com (there are a bunch more but I don't really care enough to keep going) Jonathan _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
