(For the avoidance of doubt, although I work for Mozilla, as noted on
the wiki I post in a personal capacity)
In addition to Ryan's excellent points, I wanted to briefly point out a
few things related to your survey:
On 22/09/2019 00:52, Kirk Hall wrote:
(1) *97%* of respondents agreed or strongly agreed with the statement: "Customers /
users have the right to know which organization is running a website if the website asks
the user to provide sensitive data."
Although I intuitively would like to think that we have a right to know
"who is running a website", this doesn't mean that EV certificate
information is an appropriate vehicle for this information. Even without
all the significant issues that EV certification has, if we pretended it
was perfect, it still only shows UI for the tls connection made for the
toplevel document, whereas other resources and subframes could easily
have (and usually do) come from other domains that either do not have an
EV cert or have one belonging to a different entity. And even if that
were not the case, the entity controlling the website does not
necessarily control the data in a legal sense.*** So the EV UI does not,
in the legal sense, always indicate who will control the "sensitive
data" that users/customers submit.
(2) *93%* of respondents agreed or strongly agreed with the statement “Identity
on the Internet is becoming increasingly important over time..
This sounds very nice but doesn't mean anything. What kind of identity?
Whose identity? Important to whom? Why does it have anything to do with EV?
(3) When respondents were asked “How important is it that your website has an
SSL certificate that tells customers they are at your company's official
website via a unique and consistent UI in the URL bar?” *74%* said it was
either extremely important or very important to them. Another *13%* said it was
somewhat important (total: *87%*).
This again sounds very nice, but surely the actually important thing is
that (potential) customers realize when they are *not* at that official
website when some other website tries to persuade them to part with
their data/money (so that they don't, or if they do, don't blame the
"real" company later)? As has been pointed out repeatedly in this forum,
we have pretty good evidence that customers do not, in fact, realize the
absence of the EV indicator, as well as evidence that such indicators
can be "spoofed", viz. the Stripe Inc. work.
If anything, this survey shows that the 87% of people who thought this
was important misunderstood where the risks of digital identity
confusion lie.
(4) When respondents were asked “Do you believe that positive visual signals in
the browser UI (such as the EV UI for EV sites) are important to encourage
website owners to choose EV certificates and undergo the EV validation process
for their organization?” *73%* said it was either extremely important or very
important to them. Another *17%* said it was somewhat important (total *90%*).
This implies that the UI is the/a main motivator for people to get these
certificates, but doesn't by itself have any implications for the
importance of that UI in keeping consumers and businesses safe.
If 90% of people surveyed think that people should wear helmets when
cycling, that's good for people selling bicycle helmets but doesn't have
anything to do with how effective those helmets are at preventing
injuries in cyclists.
(5) *92%* agreed or strongly agreed with the statement: “Web browser security
indicators should be standardized across different browsers to make the UI
easier for users to understand.”
(6) Finally, when asked “Do you think browsers should standardize among
themselves on a common Extended Validation UI so that it appears roughly the
same in all browsers?” *91%* said yes.
Both of these actually appear to be arguments for Firefox not to
reinstate its in-address-bar EV UI, given that all the other browsers
have moved this information out of there. The most consistent UI is only
providing this information when activating (clicking/tapping/...) the
lock icon, which is what browsers have now pretty universally implemented.
We again recommend the binary Apple UI to all browsers, which works in both
desktop and mobile environments and distinguishes between EV/identity sites
(with a green lock symbol and URL) and DV/anonymous sites (with a black lock
symbol and URL) – check it out in an iPhone. (Apple did not eliminate the EV
UI, as some has erroneously said.) This is easy for users to understand at a
glance.
With due respect to the good folks at Apple, I do not believe this is an
accessible solution (distinguishing information only by colour,
https://www.w3.org/TR/WCAG20/#visual-audio-contrast ).
Additionally, (even if we presuppose EV certs were perfect) it does not
help address the requests made in your survey's questions #1 and #3, ie
which organization is actually running this website or controlling your
data? It only establishes that *some* organization got an EV certificate
for this site... you'd have to click/tap through to see, and your own
recommendation text here suggests this is "easy for users to understand
at a glance", glossing over the fact that they would actually have to
click through to see the identity information that you think is so
important, and that even then they may be vulnerable to confusion given
all the prior research into how poorly enforced restrictions in company
registers are in many countries, the possibility for confusion across
jurisdictions, etc.
In other words, it is not "easy to understand" at all...
~ Gijs
*** This may be a confusing point. In the EU, under GDPR, it appears
(IANAL) to be legal for an organization to run a database and front it
with a website allowing modification, on behalf of some other entity. In
this case, that other entity is the data controller, the website
operator is "merely" the "data processor". For a practical example, the
UK electoral register (or "electoral roll") is considered held/"owned"
by individual councils, but usually updating their records is contracted
out to private companies as it's felt they'd do a better job than the
small council's own IT department in managing/securing this data. An
example is ERS, whose privacy policy is here
https://householdresponse.com/Home/Policy . The certificate is for
"Electoral Reform Services Ltd (GB)", but the data controller is
actually the respective city/town/borough/county councils, and if I
wanted to request copies or corrections of the information held on me
from the register, under GDPR I'd have to contact my council, not the
company running the website; ditto for requests to "stop processing [my]
information".
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy