On 13/12/2017 14:50, Tim Shirley wrote:
I guess I’m also having a hard time appreciating how the presence of this 
information is a “cost” to users who don’t care about it.  For one thing, it’s 
been there for years in all major browsers, so everyone has at least been 
conditioned to its presence already.  But how is someone who isn’t interested 
in the information in the first place being confused by it?  And if the mere 
presence of an organization name is creating confusion,
In addition to what Ryan said, speaking as an engineer who's worked on the Firefox URL bar, the EV indicator also has a non-trivial cost in terms of implementation/UI-design complexity.

On a purely practical level, displaying a longer EV entity string implies less of the actual URL string is visible to the user, which in itself is a risk for phishing.

 then surely a URL with lots of words and funny characters in it would be 
confusing people too, and we should remove that too, right?

I know you're speaking in jest, but yes. This is exactly why Safari doesn't show the URL path/querystring etc. in the URL bar when the URL isn't being edited (only the domain and/or EV name). We may or may not end up doing something similar (ie lose path/querystring/hash) in Firefox, but either way there are definitely reasonable arguments for doing something along those lines.

Going further off-topic, as people have already implied, perhaps we want other trust UI that provides more meaningful information to users about the trust status of a page, that is easier to understand than a URL or scheme/hostname/port combination. But we don't need to block removing EV UI on that if there's consensus that EV UI doesn't add (sufficient) value to remain in browsers.

~ Gijs
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to