If the signal can be spoofed, it does not actually help keep you safe. On Fri, Dec 15, 2017 at 5:21 PM, Tim Shirley <tshir...@trustwave.com> wrote:
> Yeah we’re definitely talking past each other. I’m not claiming the extra > signal CAN’T be spoofed, nor am I claiming that EV prevents phishing or > that the UI is providing me a guarantee. I’m saying it’s giving me a > signal to pay closer attention, and I’m describing a scenario where that > signal will help keep me safe; a time when the seatbelt works, even if you > think I’m putting too much trust in it. > > > > *From: *Ryan Sleevi <r...@sleevi.com> > *Reply-To: *"r...@sleevi.com" <r...@sleevi.com> > *Date: *Friday, December 15, 2017 at 5:05 PM > *To: *Tim Shirley <tshir...@trustwave.com> > *Cc: *"r...@sleevi.com" <r...@sleevi.com>, Matthew Hardeman < > mharde...@gmail.com>, mozilla-dev-security-policy < > mozilla-dev-security-pol...@lists.mozilla.org> > *Subject: *Re: On the value of EV > > > > > > > > On Fri, Dec 15, 2017 at 4:50 PM, Tim Shirley <tshir...@trustwave.com> > wrote: > > I don’t see how you can argue that the EV “seatbelt” breaks 100% of the > time. I know my bank uses an EV cert. Any time I come across a site > claiming to be my bank but lacking an EV cert, and my browser shows me that > distinction, is a time when the seatbelt saves me, through that extra > signal that alerts me that something isn’t right. If that goes away, there > is unequivocally going to be a non-zero number of people who will be > phished who would not have been phished with the UI present. > > > > And if someone wanted to phish your bank, they can obtain a cert that > appears as your bank. > > > > So that extra signal can be spoofed, thus even in your case, does not > provide value. > > > > If the only choices are to remove the UI or not, then the question to > resolve, I’d think, is: are more people being phished today because the UI > is there, relative to the number who would be phished in a tomorrow where > it is not? Only then would it make sense to remove it. > > > > No, that's not the 'only' thing that would make sense to remove it. > > > > It also perpetuates the myopic and flawed view as a phishing mitigation, > whose reliance is upon users checking it (again, user hostile), and > misleading both users and site operators into EV as a phishing mitigation, > when we do have more effective means that require less cognitive investment > by users and offer more reliable signals for sites (c.f. WebAuthN or > Credentials API) > > > > It intentionally ignores whether "Are people being harmed today because > the UI is there" - both those who believe (such as yourself) that it > incorrectly prevents phishing, as well as those who are confused by the > complicated UI and the implications of the various states. > > > > Of course there are a lot of variables to unpack to figure that out, but > it’s not the black and white decision you paint here; removing it WILL be > hostile to some number of users. > > > > Removing it will make some users sad. Those users are relying upon the UI > to guarantee the things the UI does not guarantee. Removing it will feel > like a guarantee has been removed. The guarantee never existed, so the > guarantee is not being removed. > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy