On Oct 25, 2019, at 7:56 AM, Phillip Hallam-Baker <hal...@gmail.com> wrote:
> 
> 
> 
> On Fri, Oct 25, 2019 at 4:21 AM James Burton <j...@0.me.uk 
> <mailto:j...@0.me.uk>> wrote:
> Extended validation was introduced at a time when mostly everyone browsed the 
> internet using low/medium resolution large screen devices that provided the 
> room for an extended validation style visual security indicator . Everything 
> has moved on and purchases are made on small screen devices that has no room 
> to support an extended validation style visual security indicator. Apple 
> supported  extended validation style visual security indicator in iOS browser 
> and it failed [1] [2].

[PW] Phil knows more about the intent so I’ll defer to his response at the end 
of this thread. I would like to add that computer screens bigger than mobile 
devices aren’t going away. So focusing only on mobile isn’t a good idea. 

Thanks for the constructive conversation James, finally :) But I don’t 
necessarily agree with your assertion about there being a lack of room to 
support identity. It all comes down to priority as you know. We could have said 
that Firefox mobile didn’t have enough room for tracking icons/settings before 
it was implemented - but because Mozilla feels this is important, they made the 
room. They made assertions about the lack of real estate for identity prior to 
implementing visual indicators for tracking. 

Mozilla once asserted that it wouldn’t implement any filtering 
tools/preferences for any reason because it was considered “censorship”. They 
have clearly changed their position - thankfully, with the filters for 
trackers/ads. 

Mozilla dropped its mobile browser strategy completely for a long period of 
time, but the team is now focused on mobile again. So things do change with 
time and realization of market conditions and mistakes. Everyone makes mistakes.

> 
> It's right that we are removing the extended validation style visual security 
> indicator from browsers because of a) the above statement b)

One could argue that there’s less room inside an app WebView - where there's so 
much inconsistency it hurts my head. Here’s an example of a design 
implementation that *might* work to help demonstrate my point about there being 
enough room - it’s not ideal but I only spent 5 minutes on it. [1] 

> normal users don't understand extended validation style visual security 
> indicators c)

Because they were never educated properly - UX sucked more than anything. But 
you don’t just remove something without iterating to achieve product/market 
fit. That’s what happened with identity.

> the inconsistencies of extended validation style visual security indicator 
> between browsers d) users can't tell who is real or not based on extended 
> validation style visual security indicators as company names sometimes don't 
> match the actual site name. 

I agree. This is why they should have been improved instead of removed. Mozilla 
will likely iterated the UI/UX around tracking to improve adoption.

Ian, like every other commentator I’ve read on this subject, say things that I 
agree with. But their conclusions and proposals are completely flawed in my 
opinion. As I’ve said before, you don’t just remove something that doesn’t see 
major adoption - you iterate/test. You’d only remove UI if you know for sure 
that it can’t be improved - there’s no data to suggest that any research was 
done around this. Mozilla have only supplied links to research that’s flawed 
and so old it’s useless. I’m blown away by their referencing research from more 
than 10 years ago. Some amazing people on this list weren’t even working with 
web tech back then. 

> 
> [1]  https://www.typewritten.net/writer/ev-phishing 
> <https://www.typewritten.net/writer/ev-phishing>
> [2]  https://stripe.ian.sh <https://stripe.ian.sh/>
>  

[PW] [1] https://imgur.com/Va4heuo

- Paul




> The original proposal that led to EV was actually to validate the company 
> logos and present them as logotype.
> There was a ballot proposed here to bar any attempt to even experiment with 
> logotype. This was withdrawn after I pointed out to Mozilla staff that there 
> was an obvious anti-Trust concern in using the threat of withdrawing roots 
> from a browser with 5% market share to suppress deployment of any feature.
> 
> Now for the record, that is what a threat looks like: we will destroy your 
> company if you do not comply with our demands. Asking to contact the Mozilla 
> or Google lawyers because they really need to know what one of their 
> employees is doing is not.
> 
> Again, the brief here is to provide security signals that allow the user to 
> protect themselves.
> 
> -- 
> Website: http://hallambaker.com/ <http://hallambaker.com/>

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to