Yeah we’re definitely talking past each other. I’m not claiming the extra signal CAN’T be spoofed, nor am I claiming that EV prevents phishing or that the UI is providing me a guarantee. I’m saying it’s giving me a signal to pay closer attention, and I’m describing a scenario where that signal will help keep me safe; a time when the seatbelt works, even if you think I’m putting too much trust in it.
From: Ryan Sleevi <[email protected]> Reply-To: "[email protected]" <[email protected]> Date: Friday, December 15, 2017 at 5:05 PM To: Tim Shirley <[email protected]> Cc: "[email protected]" <[email protected]>, Matthew Hardeman <[email protected]>, mozilla-dev-security-policy <[email protected]> Subject: Re: On the value of EV On Fri, Dec 15, 2017 at 4:50 PM, Tim Shirley <[email protected]<mailto:[email protected]>> wrote: I don’t see how you can argue that the EV “seatbelt” breaks 100% of the time. I know my bank uses an EV cert. Any time I come across a site claiming to be my bank but lacking an EV cert, and my browser shows me that distinction, is a time when the seatbelt saves me, through that extra signal that alerts me that something isn’t right. If that goes away, there is unequivocally going to be a non-zero number of people who will be phished who would not have been phished with the UI present. And if someone wanted to phish your bank, they can obtain a cert that appears as your bank. So that extra signal can be spoofed, thus even in your case, does not provide value. If the only choices are to remove the UI or not, then the question to resolve, I’d think, is: are more people being phished today because the UI is there, relative to the number who would be phished in a tomorrow where it is not? Only then would it make sense to remove it. No, that's not the 'only' thing that would make sense to remove it. It also perpetuates the myopic and flawed view as a phishing mitigation, whose reliance is upon users checking it (again, user hostile), and misleading both users and site operators into EV as a phishing mitigation, when we do have more effective means that require less cognitive investment by users and offer more reliable signals for sites (c.f. WebAuthN or Credentials API) It intentionally ignores whether "Are people being harmed today because the UI is there" - both those who believe (such as yourself) that it incorrectly prevents phishing, as well as those who are confused by the complicated UI and the implications of the various states. Of course there are a lot of variables to unpack to figure that out, but it’s not the black and white decision you paint here; removing it WILL be hostile to some number of users. Removing it will make some users sad. Those users are relying upon the UI to guarantee the things the UI does not guarantee. Removing it will feel like a guarantee has been removed. The guarantee never existed, so the guarantee is not being removed. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
