As I see it, there are essentially two entirely different forms of identity assurance that TLS certificates are intended to provide:
- To assure the user that the domain name displayed in the address bar is controlled by the same entity who controls the server they are communicating with (Domain Validation) - To assure the user that the name displayed in EV certificate UI represents the real-world entity who controls the server they are communicating with (Extended Validation) Depending on the type of information the user intends to share with the site they are accessing, the user may care more about one of these forms of identity assurance or the other: - If the user is simply commenting on a blog or cataloging their favorite pie recipes, then they may only care that the entity they are communicating with today is the same as the one they were communicating with yesterday (Domain Validation) - If the user is entering real-world information like their street address, SSN, or bank details, then the main thing they care about is whether the entity they are communicating with is the same entity they already know and trust from real life (Extended Validation) And in-turn, each of these forms of identity assurance can be manipulated to potentially confuse users: - A malicious actor can craft a URL which appears to match the user's expectations, but in reality does not. (E.g. https://www.faceboook.com/, https://www.facebook.com.secure.site/, https://other.site.com/www.facebook.com) - A malicious actor can register a business which appears to match the user's expectations, but in reality does not. (Stripe in Kentucky vs. Stripe in California) Correct me if I'm wrong, but isn't the sole argument for removing EV UI based on the premise that attack #2 in the list above is worse than attack #1? So much worse in fact, that rather than try to mitigate #2, we should just remove Extended Validation entirely? I disagree with that premise. What is it about a user mistaking Stripe in Kentucky for Stripe in California that is so much worse than a user mistaking facebook.net for facebook.com? Is it just the fact that the name of the state the business is registered in is currently not visible in the UI? If that's the case, why is simply showing that information in the UI not a valid solution to the problem? _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
