On Thu, Aug 22, 2019 at 1:44 PM kirkhalloregon--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Some have responded there is no research saying EV sites have > significantly less phishing (and are therefore safer) than DV sites – Tim > has listed two studies that say exactly that, and I’m not aware of any > studies that say the opposite. I can tell you that anti-phishing services > and browser phishing filters have also have concluded that EV sites are > very unlikely to be phishing sites and so are safer for users. > > Some opponents of the EV UI say it should go away because users don’t > understand or know how to evaluate the specific organization information > that’s displayed. That’s true to a point – but an improved EV UI for > Firefox could follow Apple’s example by showing a binary “identity/no > identity” UI that would be easy for users to understand – green lock symbol > and URL for identity (EV), black for no identity (DV). If users want to > see the specific organization information for the identity sites, it can be > displayed with one click on the green lock symbol. > > users will have different needs to scrutinize identity information at > different times. Let’s look at currency, for example. Currency contains > many marks to validate its legitimacy such as watermarks, holograms, and > the like. The same person may treat currency differently based on > context. The same person might take cash out of the ATM with little close > scrutiny but then look closely at the money received from a scalper at a > sporting event or concert. In the first case, the context is considered to > be low risk, and in the second it’s considered to be high risk. The > security indicators are always there, so the relying party can take > advantage of them when they’re warranted. > To close - browsers love data, and Mozilla has a lot of really smart > engineers. That’s why I hope Mozilla will come up with innovative ways to > use EV data, and not just drop it. > Kirk, I think you hit the nail on the head here. One of the big advantages of the PKI model used in the public Internet is that certificates are independent of browsers. Different systems can use information contained in the same certificate in different ways. The validated information is present in the certificate regardless of the browser UI. Many browser users have plugins installed to help detect malicious websites and software downloads (frequently as part of an overall Internet security suite along with anti-virus and anti-malware scanners). These Internet security tools can use the EV data to help implement user controllable policies completely independent of the core browser UI. Additionally, many people and organizations have filtering proxies that can do some level of introspection. My home router can do network filtering and I know large enterprise firewalls do the same. In TLS 1.2, they can review the certificate and terminate the connection if it doesn't meet the policies of the proxy owner. This is an ideal place to check EV and does not rely upon the end user remembering to check if the lock is black or green. There are also opportunities for browsers here. I have to admit I primarily use Google Chrome, rather than Firefox, so my observations may be a little tainted, but I see various places where signals far more valuable than the green lock could be implemented. Consider that most browsers recognize credit card entry fields -- wouldn't it be great if clicking on one on an EV site showed a little drop down under the input box that said "[CA name here] has certified that [EV info here] is receiving your credit card information"? I don't see the currently proposed change in the Firefox UI as having a notable impact on the future of EV certificates. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
