On 13/12/2017 14:50, Tim Shirley wrote:
I guess I’m also having a hard time appreciating how the presence of this
information is a “cost” to users who don’t care about it. For one thing, it’s
been there for years in all major browsers, so everyone has at least been
conditioned to its presence already. But how is someone who isn’t interested
in the information in the first place being confused by it? And if the mere
presence of an organization name is creating confusion,
In addition to what Ryan said, speaking as an engineer who's worked on
the Firefox URL bar, the EV indicator also has a non-trivial cost in
terms of implementation/UI-design complexity.
On a purely practical level, displaying a longer EV entity string
implies less of the actual URL string is visible to the user, which in
itself is a risk for phishing.
then surely a URL with lots of words and funny characters in it would be
confusing people too, and we should remove that too, right?
I know you're speaking in jest, but yes. This is exactly why Safari
doesn't show the URL path/querystring etc. in the URL bar when the URL
isn't being edited (only the domain and/or EV name). We may or may not
end up doing something similar (ie lose path/querystring/hash) in
Firefox, but either way there are definitely reasonable arguments for
doing something along those lines.
Going further off-topic, as people have already implied, perhaps we want
other trust UI that provides more meaningful information to users about
the trust status of a page, that is easier to understand than a URL or
scheme/hostname/port combination. But we don't need to block removing EV
UI on that if there's consensus that EV UI doesn't add (sufficient)
value to remain in browsers.
~ Gijs
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
