Extended validation was introduced at a time when mostly everyone browsed
the internet using low/medium resolution large screen devices that provided
the room for an extended validation style visual security indicator .
Everything has moved on and purchases are made on small screen devices that
has no room to support an extended validation style visual security
indicator. Apple supported  extended validation style visual security
indicator in iOS browser and it failed [1] [2].

It's right that we are removing the extended validation style visual
security indicator from browsers because of a) the above statement b)
normal users don't understand extended validation style visual security
indicators c) the inconsistencies of extended validation style visual
security indicator between browsers d) users can't tell who is real or not
based on extended validation style visual security indicators as company
names sometimes don't match the actual site name.

[1]  https://www.typewritten.net/writer/ev-phishing
[2]  https://stripe.ian.sh

Thank you

Burton

On Fri, Oct 25, 2019 at 5:35 AM Phillip Hallam-Baker via
dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:

> On Thu, Oct 24, 2019 at 9:54 PM Peter Gutmann via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
> > Paul Walsh via dev-security-policy <
> dev-security-policy@lists.mozilla.org>
> > writes:
> >
> > >we conducted the same research with 85,000 active users over a period of
> > >12 months
> >
> > As I've already pointed out weeks ago when you first raised this, your
> > marketing department conducted a survey of EV marketing effectiveness.
> If
> > you have a refereed, peer-reviewed study published at a conference or in
> > an academic journal, please reference it, not a marketing survey
> > masquerading as a "study".
>
>
> There are certainly problems with doing usability research. But right now
> there is very little funding for academic studies that are worth reading.
>
> You didn't criticize the paper with 27 subjects split into three groups
> from 2007. Nor did you criticize the fact that the conclusions were totally
> misrepresented.
>
> So it doesn't appear to be spurious research that you have a problem with
> or the misrepresentation of the results. What you seem to have a problem
> with is the conclusions.
>
> At least with 85,000 subjects there is some chance that Paul himself has
> found out something of interest. That doesn't mean that we have to accept
> his conclusions as correct, or incontrovertible but I think it does mean
> that he deserves to be treated with respect.
> I am not at all happy with the way this discussion has gone. It seems that
> contrary to the claims of openness, Mozilla has a group think problem. For
> some reason it is entirely acceptable to attack CAs for any reason and with
> the flimsiest of evidence.
> _______________________________________________
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to