Kirk Hall via dev-security-policy <[email protected]> writes:
>To remedy this, Entrust Datacard surveyed all of its TLS/SSL web server >certificate customers And what a marvellously disingenous "survey" it is too, artfully constructed to produce exactly the result the CA's marketing department wants. Mixed in with a series of motherhood-and-apple-pie leading questions that no-one could answer "no" to to yes-prime the respondents, a few vaguely-word EV questions that you want the yes response to (by vague I mean nonsense like "Do you believe that positive visual signals in the browser UI are important to encourage website owners to choose EV certificates and undergo the EV validation process for their organization?", which translates to "Do you believe browsers should act as marketing agents for our EV certificates?" while totally avoiding ever asking the real question, "Do you believe EV certificates make the web safer to use?"). Even then, the response is a little surprising because the priming questions aren't 100% - what sort of pinko commie subversive answers "no" to "Customers / users have the right to know which organization is running a website if the website asks the user to provide sensitive data"?. Allow me to propose an equivalent dishonest poll that gets the exact opposite result. First a few push-poll questions to set the scene, "Given that Russian criminals have stolen $2B from US citizens via web browser phishing attacks in the last 12 months + <token question to disguise the fact that this is a push poll>". Then the same motherhood-and-apple-pie questions to yes-bias the repondents. Finally, the question I want the yes answer to. What would you like? Fine CAs whose certificates are misused? Force browser vendors to provide security guarantees for the web sites where they display all-OK indicators? Death penalty for phishers? I can get you any result you like, what's it worth to you? In any case, as with a previous EV cert poll done by another CA a few years ago, this one surveys the efficacy of EV certificate marketing, not their utility in preventing phishing and whatnot. Peter. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
