On Wed, Dec 13, 2017 at 3:50 PM, Tim Shirley <[email protected]> wrote:
> I’m not looking for a guarantee. Nothing is ever going to meet that > standard. What I’m looking for is something that’s going to improve my > odds. What I see in Ian’s and James’s research is some ways that it’s > possible to create confusion, accidentally or deliberately. But I haven’t > heard of any real world cases where such deception was used deliberately to > date. > Nor did CAs hear about real-world cases about MD5 or SHA-1 until, well, it was too late. Look at the fact that the CA/Browser Forum was actively debating extending SHA-1's lifetime (indefinitely, as proposed by some CAs), up to the very morning that it was publicly shown as broken - despite years of warning. > And I’d expect, since Certificate Transparency has been required for a > couple years now for EV treatment in Chrome, that if such attacks were > actually happening in the real world today with EV certificates, we’d know > about them and they would be getting trumpeted in this thread. > Sure, but the CT-derived value doesn't require UI. Or, conversely, are you saying that EV is only safe with CT, and if (and only if) sites are looking for confusion? > Why do police wear bulletproof vests when they know they’re entering a > dangerous situation? A vest only covers part of the body, so they’re still > in danger. I wouldn’t call a bulletproof vest a placebo. It’s a layer of > defense, just like EV. I’m not claiming EV “solves” phishing but I am > claiming that it mitigates it. > But it's an outsourced mitigation - the site operator is being convinced to buy an EV cert by a CA, but the protection is only effective if the technical controls work (they don't) or the user's are trained on the business realities (which I would assert _no one_ is, given the jurisdictional nuance) It's not an apples to apples comparison - this isn't defense in depth. > I guess I’m also having a hard time appreciating how the presence of this > information is a “cost” to users who don’t care about it. For one thing, > it’s been there for years in all major browsers, so everyone has at least > been conditioned to its presence already. But how is someone who isn’t > interested in the information in the first place being confused by it? And > if the mere presence of an organization name is creating confusion, then > surely a URL with lots of words and funny characters in it would be > confusing people too, and we should remove that too, right? > That has been proposed, yes. To some extent, that's what Safari's UI tries to do, for what we can extrapolate as similar reasonings. But yes, the complex state of indicators has ample (general) HCI research supporting it, and even specific to the browser case (e.g. https://research.google.com/pubs/pub45366.html in more modern times, or http://www.usablesecurity.org/papers/jackson.pdf going further back). As far as I'm aware, there has been zero peer-reviewed, academically sound research demonstrating the value proposition of EV, just anecdata, while there is a rather extant body showing the harm that complexity causes, both individually (as earlier referenced) and as applied to connection security indicators - particularly, positive indicators such as EV (where you must note the absence of, rather than the presence) _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
