On Monday, August 12, 2019 at 2:31:22 PM UTC-4, Wayne Thayer wrote: > Mozilla has announced that we plan to relocate the EV UI in Firefox 70, > which is expected to be released on 22-October. Details below. > > If the before and after images are stripped from the email, you can view > them here: > > Before: > https://lh4.googleusercontent.com/pSX4OAbkPCu2mhBfeleKKe842DgW28-xAIlRjhtBlwFdTzNhtNE7R43nqBS1xifTuB0L8LO979yhpPpLUIOtDdfJd3UwBmdxFBl7eyX_JihYi7FqP-2LQ5xw4FFvQk2bEObdKQ9F > > After: > https://lh5.googleusercontent.com/kL-WUskmTnKh4vepfU3cSID_ooTXNo9BvBOmIGR1RPvAN7PGkuPFLsSMdN0VOqsVb3sAjTsszn_3LjRf4Q8eoHtkrNWWmmxOo3jBRoEJV--XJndcXiCeTTAmE4MuEfGy8RdY_h5u > > - Wayne > > ---------- Forwarded message --------- > From: Johann Hofmann <jhofm...@mozilla.com> > Date: Mon, Aug 12, 2019 at 1:05 AM > Subject: Intent to Ship: Move Extended Validation Information out of the > URL bar > To: Firefox Dev <firefox-...@mozilla.org> > Cc: dev-platform <dev-platf...@lists.mozilla.org>, Wayne Thayer < > wtha...@mozilla.com> > > > In desktop Firefox 70, we intend to remove Extended Validation (EV) > indicators from the identity block (the left hand side of the URL bar which > is used to display security / privacy information). We will add additional > EV information to the identity panel instead, effectively reducing the > exposure of EV information to users while keeping it easily accessible. > > Before: > > > After: > > > The effectiveness of EV has been called into question numerous times over > the last few years, there are serious doubts whether users notice the > absence of positive security indicators and proof of concepts have been > pitting > EV against domains <https://www.typewritten.net/writer/ev-phishing/> for > phishing. > > More recently, it has been shown <https://stripe.ian.sh/> that EV > certificates with colliding entity names can be generated by choosing a > different jurisdiction. 18 months have passed since then and no changes > that address this problem have been identified. > > The Chrome team recently removed EV indicators from the URL bar in Canary > and announced their intent to ship this change in Chrome 77 > <https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/h1bTcoTpfeI>. > Safari is also no longer showing the EV entity name instead of the domain > name in their URL bar, distinguishing EV only by the green color. Edge is > also no longer showing the EV entity name in their URL bar. > > > > On our side a pref for this > (security.identityblock.show_extended_validation) was added in bug 1572389 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1572389> (thanks :evilpie for > working on it!). We're planning to flip this pref to false in bug 1572936 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1572936>. > > Please let us know if you have any questions or concerns, > > Wayne & Johann
Wayne & Johann, Thanks for providing this outlet to accept feedback from interested parties. I'll get right to the point here. Extended Validation certs have ONE main purpose which is to identify the owner of the website it is securing. The encryption is the same as a DV cert, but with a DV cert a site visitor has NOTHING to validate who owns the website. In reading through this month long thread it appears there are two sides of this EV conversation... those who believe in the purpose of the EV cert's function and purpose, and those who think that it's worthless because the general website visitor doesn't understand it (I agree with BOTH sides). It's this main disagreement within the thread that I think I can shed some light on. Take any visual object that most folks recognize, let's say a STOP sign for this comparison. We all recognize a STOP sign as being red & white, block letters, octagon shaped, and on the right side of the road, serving a very important purpose... Now imagine if every state in America had a different design, shape, color, location, etc for their STOP signs. Not only that, but every 2-3 years each state changes something about their STOP signs. Eventually the general public is going to be unable to understand or differentiate the point and purpose of the STOP signs because they are constantly changing. They serve a very important purpose but different states would not work together to deliver a consistent message about that important purpose. Very similar scenario with EV certs which serve a very important function of identifying the site owner, but are lost on the general internet public because of the constant changing of the different browsers displays of EV certs. It seems that the Certificate Authorities are doing their jobs quite well in regards to EV certs and making sure that it is very difficult for non-qualified/verified sites to get them according to a recently concluded study by Georgia Tech CyFI Lab (https://www.helpnetsecurity.com/2019/08/01/ev-ssl-certificate/), a well respected technical institution, NOT funded by the CA industry. It seems that most of the browser representatives continue siting this lack of EV recognition as their reasons for dismantling the differentiation between EV and DV certs. Problem is, the browsers seem to be the ones that have caused the lack of recognition. By comparison, anyone can purchase a domain name, set up a hosting plan & email, obtain a DV certificate, and start phishing (with the browser padlock)... all without ever having to prove their identity. Instead of stripping out the only effort in the industry for internet users to understand who owns the websites they're visiting, why don't browsers become better stewards of internet trust & safety and work together to create a consistent message around differences of padlock encryption versus encryption PLUS identity verification? Maybe a publicly available repository (similar to Certificate Transparency) where CA's have to post the sources used to validate all their issued EV certs? It seems that browser makers dissatisfaction (or worse) with the CA industry is fueling decisions that are not "better" for the internet public in general, just worse for the CA industry. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
