On Fri, Oct 25, 2019 at 4:21 AM James Burton <j...@0.me.uk> wrote: > Extended validation was introduced at a time when mostly everyone browsed > the internet using low/medium resolution large screen devices that provided > the room for an extended validation style visual security indicator . > Everything has moved on and purchases are made on small screen devices that > has no room to support an extended validation style visual security > indicator. Apple supported extended validation style visual security > indicator in iOS browser and it failed [1] [2]. > > It's right that we are removing the extended validation style visual > security indicator from browsers because of a) the above statement b) > normal users don't understand extended validation style visual security > indicators c) the inconsistencies of extended validation style visual > security indicator between browsers d) users can't tell who is real or not > based on extended validation style visual security indicators as company > names sometimes don't match the actual site name. > > [1] https://www.typewritten.net/writer/ev-phishing > [2] https://stripe.ian.sh >
The original proposal that led to EV was actually to validate the company logos and present them as logotype. There was a ballot proposed here to bar any attempt to even experiment with logotype. This was withdrawn after I pointed out to Mozilla staff that there was an obvious anti-Trust concern in using the threat of withdrawing roots from a browser with 5% market share to suppress deployment of any feature. Now for the record, that is what a threat looks like: we will destroy your company if you do not comply with our demands. Asking to contact the Mozilla or Google lawyers because they really need to know what one of their employees is doing is not. Again, the brief here is to provide security signals that allow the user to protect themselves. -- Website: http://hallambaker.com/ _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
