Or the return isn't worth it. Malicious actors have to assume that any given domain, certificate, URL, etc. will get blocked or shut down by the security industry, so being able to cycle those endpoints is key. EV is not easy to automate/cycle, and can also be more cost prohibitive, so each cycle is less profitable as well.
That's my point: Systems that don't scale are less profitable to attempt to abuse for malicious ends, because more time and effort has to be invested into any given effort, and ideally, there are actual humans involved in the process which catch discrepancies.
The other reason you may not see a lot of attempts to find exploits in EV (apart from Ian) is that most of the actors sites want to pretend to be aren't using EV either. If you want to fake yourself as Google, EV isn't going to help you since Google doesn't use it.
I would argue the claim "bad actors aren't trying to abuse it so it isn't effective" to be silly, as that claim would apply among all methods that bad actors can't meaningfully abuse.
That's my point: Systems that don't scale are less profitable to attempt to abuse for malicious ends, because more time and effort has to be invested into any given effort, and ideally, there are actual humans involved in the process which catch discrepancies.
The other reason you may not see a lot of attempts to find exploits in EV (apart from Ian) is that most of the actors sites want to pretend to be aren't using EV either. If you want to fake yourself as Google, EV isn't going to help you since Google doesn't use it.
I would argue the claim "bad actors aren't trying to abuse it so it isn't effective" to be silly, as that claim would apply among all methods that bad actors can't meaningfully abuse.