On Wed, Dec 13, 2017 at 6:29 AM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> > > Yes. This is the foundation and limit of Web Security. > > > > https://en.wikipedia.org/wiki/Same-origin_policy > > > > This is what is programatically enforced. Anything else either requires > new > > technology to technically enforce it (such as a new scheme), or is > > offloading the liability to the user. > > > > What is *programmatically* enforced is too little for human safety. > believing that computers can replace human judgement is a big mistake. > Most of the world knows this. That is a misguided and inaccurate rephrasing. However, it still shows that you are fundamentally taking the view point that: 1) Users should be responsible and bear the liability (straight up user hostile) 2) This information is as critical as the one piece of truly guarantees information, the URL (it isn’t) 3) It is a usable solution to require the visual determination as to whether a given piece of information is present - that is, a positive indicator (where both general studies AND browser specific studies show this doesn’t work) You aren’t adding to this, you’re simply phrasing your view that this information is valuable. You haven’t responded to these points as to the user experience, or the research, but instead theorize about how it should be, or power users, or user education, all while ignoring the substance of these realities. > > You need to understand that not every trust begins and ends with a > Google search for a URL. You need to understand that EV specifically states it is not for this purpose. As already provided to you from the EVGs. > > Sometimes people buy cheaper items online and just need to know that > their credit card transaction is not visible to a random company (hence > the common practice of outsourcing the entry of card details to a > reputable clearing service that promises not to hand the credit card > number back to the seller). EV does not provide this. This is just a basic understand of the technology. Sometimes people make bigger purchases and > need the assurance that there is a real company at the other end, which > can (if necessary) be sued for non-delivery. EV EXPLICITLY does not provide this. Read the EVGs. Sometimes people make > really big transactions and need to know that they are dealing with a > real world entity that they have a real world trust relationship with. EV EXPLICITLY does not provide this. Read the EVGs. I have been copying the example name from message to message, with noone > objecting. Saving up this mistake for use as ammunition when you run > out of arguments is not a nice way to argue. Getting upset doesn’t undermine the fact that you’ve continued to make mistakes that have already been addressed in both the original research and past replies to you. The discussion has not been moved forward by the points you’ve raised, because they’ve already been shown to be logically or factually flawed and unsupported. I do hope that you will revisit these and see how the points you’ve raised - even in this very message - are already disputed by the research, design, and technology. > The remainder of your argument basically boils down to "But Banks already > > are offloading the liability to users when they say check for the green > > bar" (and that is bad, user hostile, and unsustainable), and the "Look > for > > the corporate identity" has been shown repeatedly to be insufficient and > > incomplete that if that is the response you'd offer, then it's not > > introducing new information into the conversation. > > > > No, I was using the awareness campaigns by banks as an example of how > users can be, and have been, trained to use the EV UI even if they don't > fully understand it. It was a counterexample to your use of misleading > statistics about how few users understand the nuances of EV > certificates. It is hardly a counter-example. It continues to be unsupported by data, by the extant user studies contradicting your conclusions and belief - that they are effective and users understand - and themselves still rely on the fundamentally flawed approach of shifting the liability to the user to make sense of the legal identity. You have yet to respond to the substance of this basic model about users - continuing to insist that somehow it’s reasonable to expect billions of users to be aware of an interface that shows the jurisdictional nuance in a critical UI point. It’s hnclear whether or not you even acknowledge the current flaws - I would hope, given your earlier proposal to display the full jurisdictional information, that you can at least acknowledge that EV as it presently exists is insufficient UI and insufficient validation for the status afforded it. At best, your view seems to be to double down on promoting a user-hostile, unrealistic workflow, by adding even more information (ignoring the research and basic cognitive challenges I pointed out to you), restricting the access even further (ignoring the inherent limitations of that, as demonstrated by WIPO), and then expecting users to understand this even more nuanced approach of limitations. None of this has changed from when we first started discussing, and you haven’t meaningfully engaged on these basics, other than providing your opinion - which, while valuable, doesn’t dispute or disprove those issues above. > I am saying that your view of what the EV system achieves and has > already achieved is completely biased and flawed. > Cool. Well, since you won’t engage in the substance - where I provided the supporting facts and basic positions for the conclusions, and walked you through how they are arrived at - and are willing to hold the line on this opinion despite it being unsubstantiated by the facts, then we’re done. You’re not engaging with anything more than opinions and stories about how it ought to be, so I haven’t learned anything new from you that wasn’t already discounted or disproved. You’re either not willing to read the research - or even the original issues - or not convinced by the years of academic research showing your conclusions aren’t supported, so theres no point trying to convince you of these facts. The lack of engagement on, or discussion of, origins perhaps best illustrates how fundamentally ineffective this conversation has been - because that is the starting point, in any conversation, yet it is continually deflected or ignored. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy