@Ryan “Since improving it as a technical means is an effective non-starter (e.g. introducing a new origin for only EV certs), the only fallback is to the cognitive means”
EV is a convenient signal. I like it. The problem is the infrastructure that pits the Internet and it’s protocols with inadequate protection for the end user against active adversaries. Whether the false “claim” of security is being made contrary to what most security experts would consider a fact (or an I wrong?) is a problem not specific to UI, but to one of OWASP threats. Perhaps a moral question of fooling Internet users via a higher level of security knowledge. In general the IETF and IAB have already reached consensus that internet users and use cases should have the same rights to protection that other organizations have. Mozilla acknowledges this by not locating the GooglePlex in Boca Raton, Fl. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy