Please tell me if I understand this correctly... Is it that DV and EV certificates now both show the same lock symbol? That would be a great harm in my opinion. And I do not understand why you want this change.
I think EV is very important and I explain why. Let's look at following hypothetical case: We have google.com, paypal.com as well as goog1e.com and paypa1.com . Notice the two number 1 (one) instead of a lower case L in the latter two domains. (lowecase "L" and "one" look perfectly equal in Times New Roman. And lowercase "L" looks perfectly equal to uppercase "i" in Arial.) In old Firefox, I get a green bar if I visit google.com and paypal.com, telling me that this is a well-known company that got the EV certificate. The other fake domains goog1e.com and paypa1.com only have DV certificates by Let's Encrypt. In the newer Firefox, both domains, the real one and the fake one both get a lock symbol. And I need to click the lock to see if it is DV or EV. Do I understand that correctly? And in regards to the comparison of Peter Bowen: If we assume that an improvement is that a fire sprinkler does react faster and more accurate, then why it is an improvement that old Firefox shows something, and the new Firefox does not show something? Is that an enhancement? No, it's removing something from the UI. Am Montag, 12. August 2019 20:31:22 UTC+2 schrieb Wayne Thayer: > Mozilla has announced that we plan to relocate the EV UI in Firefox 70, > which is expected to be released on 22-October. Details below. > > If the before and after images are stripped from the email, you can view > them here: > > Before: > https://lh4.googleusercontent.com/pSX4OAbkPCu2mhBfeleKKe842DgW28-xAIlRjhtBlwFdTzNhtNE7R43nqBS1xifTuB0L8LO979yhpPpLUIOtDdfJd3UwBmdxFBl7eyX_JihYi7FqP-2LQ5xw4FFvQk2bEObdKQ9F > > After: > https://lh5.googleusercontent.com/kL-WUskmTnKh4vepfU3cSID_ooTXNo9BvBOmIGR1RPvAN7PGkuPFLsSMdN0VOqsVb3sAjTsszn_3LjRf4Q8eoHtkrNWWmmxOo3jBRoEJV--XJndcXiCeTTAmE4MuEfGy8RdY_h5u > > - Wayne > > ---------- Forwarded message --------- > From: Johann Hofmann <[email protected]> > Date: Mon, Aug 12, 2019 at 1:05 AM > Subject: Intent to Ship: Move Extended Validation Information out of the > URL bar > To: Firefox Dev <[email protected]> > Cc: dev-platform <[email protected]>, Wayne Thayer < > [email protected]> > > > In desktop Firefox 70, we intend to remove Extended Validation (EV) > indicators from the identity block (the left hand side of the URL bar which > is used to display security / privacy information). We will add additional > EV information to the identity panel instead, effectively reducing the > exposure of EV information to users while keeping it easily accessible. > > Before: > > > After: > > > The effectiveness of EV has been called into question numerous times over > the last few years, there are serious doubts whether users notice the > absence of positive security indicators and proof of concepts have been > pitting > EV against domains <https://www.typewritten.net/writer/ev-phishing/> for > phishing. > > More recently, it has been shown <https://stripe.ian.sh/> that EV > certificates with colliding entity names can be generated by choosing a > different jurisdiction. 18 months have passed since then and no changes > that address this problem have been identified. > > The Chrome team recently removed EV indicators from the URL bar in Canary > and announced their intent to ship this change in Chrome 77 > <https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/h1bTcoTpfeI>. > Safari is also no longer showing the EV entity name instead of the domain > name in their URL bar, distinguishing EV only by the green color. Edge is > also no longer showing the EV entity name in their URL bar. > > > > On our side a pref for this > (security.identityblock.show_extended_validation) was added in bug 1572389 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1572389> (thanks :evilpie for > working on it!). We're planning to flip this pref to false in bug 1572936 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1572936>. > > Please let us know if you have any questions or concerns, > > Wayne & Johann _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
