> We need an 'Expect-EV' header, just like 'Expect-CT'.
What good would that header do? A phishing site (say, "paypaaaaal.com") would simply not set it.
> Or maybe all websites that request certain info (like SSN or credit card) should be required to have EV.
EV certificates are not available to everyone. In particular, they're only available to users in certain countries, and even then only to registered businesses.
Besides, how do you enforce a requirement like that, short of barring users from submitting data that looks like a credit card to a site without an EV certificate? (Which would cause massive and entirely justified outrage, and would be quickly bypassed by phishing sites regardless.)
It would protect against MitM attacks where the attacker has fraudulently obtained a non-EV certificate, such as through CA compromise or a BGP attack, especially since EV certs are required to have CT log entries. I guess since Expect-CT already solves this, Expect-EV may not be that helpful.
>EV certificates are not available to everyone.
I agree this is a problem. EV should be available to anyone anywhere willing and able to prove their legal identity, be it a person or an organization. Then if someone uses EV to phish, they can be held accountable.
>how do you enforce a requirement like that
If this becomes standard, then we can train users to expect EV indicators when asked for payment data. Any site asking for it without EV would automatically become out-of-the-norm.
What good would that header do? A phishing site (say, "paypaaaaal.com") would simply not set it.
> Or maybe all websites that request certain info (like SSN or credit card) should be required to have EV.
EV certificates are not available to everyone. In particular, they're only available to users in certain countries, and even then only to registered businesses.
Besides, how do you enforce a requirement like that, short of barring users from submitting data that looks like a credit card to a site without an EV certificate? (Which would cause massive and entirely justified outrage, and would be quickly bypassed by phishing sites regardless.)