On Fri, Dec 15, 2017 at 2:34 PM, Matthew Hardeman via dev-security-policy < [email protected]> wrote:
> On Friday, December 15, 2017 at 8:08:44 AM UTC-6, Ryan Sleevi wrote: > > > James’ research has showed the ease at which it is possible to use the UI > > afforded EV to mislead users - fundamentally, a form of phishing, > > exploiting the misunderstanding about what EV is it guarantees. > > > > Ian’s research has shown that the UI afforded is fundamentally > > insufficient, which, while long known, now has a direct case to point to. > > The mismatch between what EV is - for every single certificate that > exists > > up until now - and what the UI expresses means that it’s insufficient, > for > > every single existing certificate out there, to show UI. > > Here I would point out that these concerns would seem incongruent with > your prior stated positions that no one is looking at or relying upon the > EV marker. > I'm not sure I made those statements, but would be happy to clarify the confusion. Indeed, as I tried to call out, there are a subset of users who are looking at it and relying on it - although it cannot be relied upon - and any proposition to improve it via validation means is fundamentally asserting that users SHOULD be relying on it (as it derives its value from that), which I believe is a user-hostile conclusion. That is, put differently, if users are only 'safe' if they rely on that UI, then we've failed them. If users rely on that UI, and they're not safe, then we've failed them. In short, the UI has failed them. > > On the other hand, you also do point out correctly that there is some > question of value and validity under the now-present standards. > > Let's be clear though: assuming those standards were promptly improved, it > will be monumentally more difficult to get a UI enhancement back into > product after its recent removal, right? > Yes, because solving the validation problem alone ignores the fundamental problems, but simultaneously folks have been arguing for ignoring the fundamental problems on the belief that the UI is valuable. It's entirely inconsistent and circular reasoning to show that UI. > While having a single level of assurance is simple and certainly is a > level playing field, it is not a bad thing that consumers would like an > externally validated marker which suggests that trust in the party > controlling this website may be easier to grant: say, because, the details > within the certificate clarify that a particular human being can be found > responsible and called to account. > I disagree with this assertion; namely, it's not bad that consumers may want this, but that doesn't mean that the UI is fundamentally the appropriate way to solve this, or that certificates themselves do. > When all else is unavailable, people tend to extend trust on the basis of > potential mutual harm arising from bad action. If I feel confident that I > can physically locate a person associated with a website, I have already showed where and how this confidence is fundamentally misplaced. Yes, you may feel confident. No, that confidence is not based in the technical reality. Even with "enhanced validation" (which, again, is fundamentally problematic and challenging, as shown through WIPO, and itself unrealistic), the underlying technology itself - and the threat models - don't align. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
