On Wed, Mar 29, 2017 at 7:30 AM, Hector Martin via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> We actually have *five* levels of trust here: > > 1. HTTP > 2. HTTPS with no validation (self-signed or anonymous ciphersuite) > 3. HTTPS with DV > 4. HTTPS with OV > 5. HTTPS with EV > No, we actually only have three levels. 1. HTTP 2. "I explicitly asked for security and didn't get it" (HTTPS with no validation) 3. HTTPS Obvious answer? Make (1)-(2) big scary red, (3) neutral, (4) green, (5) > full EV banner. (a) still correlates reasonably well with (4) and (5). > HTTPS is no longer optional. All those phishing sites get a neutral URL > bar. We've already educated users that their bank needs a green lock in the > URL. And that was a mistake - one which has been known since the very introduction of EV in the academic community, but sadly, like Cassandra, was not heeded. http://www.adambarth.com/papers/2008/jackson-barth-b.pdf should be required reading for anyone who believes OV or EV objectively improves security, because it explains how since the very beginning of browsers support for SSL/TLS (~1995), there's been a security policy at place that determines equivalence - the Same Origin Policy. While the proponents of SSL/TLS then - and now - want certificates to be Something More, the reality has been that, from the get-go, the only boundary has been the Origin. I think the general community here would agree that making HTTPS simple and ubiquitous is the goal, and efforts by CAs - commercial and non-commercial - towards those efforts, whether it be through making certificates more affordable to obtain or simpler to install or easier to support - are well-deserving of praise. But if folks want OV/EV, then they also have to accept there needs to be an origin boundary, like Barth/Jackson originally called for in 2008 (httpsev://), and that any downtrust in that boundary needs to be blocked (similar to mixed content blocking of https -> http, as those degrade the effective assurance). Further, it seems as if it would be necessary to obtain the goals of 4, 5, or (a) that the boundary be 'not just' httpsev://, but somehow bound to the organization itself - an origin-per-organization, if you will. And that, at its core, is fundamentally opposed to how the Web was supposed to and does work. Which is why (4), (5), and (a) are unreasonable and unrealistic goals, despite having been around for over 20 years, and no new solutions have been put forward since Barth/Jackson called out the obvious one nearly a decade ago, which no one was interested in. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
