> On Oct 28, 2019, at 2:12 PM, James Burton <j...@0.me.uk> wrote:
> [PW] Phil knows more about the intent so I’ll defer to his response at the 
> end of this thread. I would like to add that computer screens bigger than 
> mobile devices aren’t going away. So focusing only on mobile isn’t a good 
> idea. 
> Thanks for the constructive conversation James, finally :) But I don’t 
> necessarily agree with your assertion about there being a lack of room to 
> support identity. It all comes down to priority as you know. We could have 
> said that Firefox mobile didn’t have enough room for tracking icons/settings 
> before it was implemented - but because Mozilla feels this is important, they 
> made the room. They made assertions about the lack of real estate for 
> identity prior to implementing visual indicators for tracking. 
> Mozilla once asserted that it wouldn’t implement any filtering 
> tools/preferences for any reason because it was considered “censorship”. They 
> have clearly changed their position - thankfully, with the filters for 
> trackers/ads. 
> Mozilla dropped its mobile browser strategy completely for a long period of 
> time, but the team is now focused on mobile again. So things do change with 
> time and realization of market conditions and mistakes. Everyone makes 
> mistakes.
>> It's right that we are removing the extended validation style visual 
>> security indicator from browsers because of a) the above statement b)
> One could argue that there’s less room inside an app WebView - where there's 
> so much inconsistency it hurts my head. Here’s an example of a design 
> implementation that *might* work to help demonstrate my point about there 
> being enough room - it’s not ideal but I only spent 5 minutes on it. [1] 
> I took a look at your concept of an extended validation type visual security 
> indicator and the conclusion is that it doesn't provide any assurance to the 
> users that the website is vetted or trustworthy. This concept is similar to 
> the padlock visual security indicator and that too doesn't provide any 
> assurance to the users that the website is vetted or trustworthy. The padlock 
> visual security indicator only provides the user a visual indication that the 
> connection is encrypted.

[PW] You’re getting hooked on an icon. Please don’t do that. I’m just showing 
you that it’s possible to find real estate. You said there was no room. I 
proved there is. So how about you either admit to being wrong, or explain why 
I’m wrong instead of commenting on the shape, size and color of an icon. I’m 
shrugging my shoulders at your reply. 

Separately, this particular visual indicator worked and continues to work for 
us - but again, let’s not debate on the design elements.

> Read Emily Stark's Twitter response regarding Chrome and the removal of the 
> padlock visual security indicator: 
> https://twitter.com/estark37/status/1183769863841386496?s=20 
> <https://twitter.com/estark37/status/1183769863841386496?s=20>
>> normal users don't understand extended validation style visual security 
>> indicators c)
> Because they were never educated properly - UX sucked more than anything. But 
> you don’t just remove something without iterating to achieve product/market 
> fit. That’s what happened with identity.
> Users shouldn't have to go through education lessons to recognise different 
> positive visual security indicators. Its a stupid idea.

[PW] So you dislike Mozilla’s implementation for the tracker icon in the 
address bar? When you update to 70.0 you’re prompted with an educational-type 
pop-out to draw your attention to the visual indicator. Do you think that’s a 
bad idea? Do you think users should just know how to use browser software? 

> Next stupid idea will be expecting users to go through a compulsory exam to 
> learn about the different positive visual security indicators. 

[PW] That’s pretty insulting but I’ve come to expect that from people who 
disagree with me on this list. I don’t see anyone else contributing in any way, 
in regards to how we can address this problem through collaboration. All I hear 
is childish screaming; “EV is broken” - it’s like a broken record with zero 
data. We know old implementations were crap. But that’s like saying the first 
version of the seatbelt was flawed, so it shouldn’t’ have progressed through 
design iteration to make it work. 

BW Brave has an indicator for shields - seems to work pretty well. That’s a 
type of security that requires user education. But with good UI/UX it’s 
possible to get it right - which is why I guess Brave is taking market share 
from Firefox and Chrome and will continue to do so as it does some things 

> If failed, they can't purchase goods online. If passed, they get a license 
> issued to allow them to purchase goods online. 
> Browsers iterating positive visual security indicators to achieve 
> product/market fit is another stupid idea. It's good for CAs profit margins. 
> It's bad for users as it will totally confuse them. Even if we did go down 
> this stupid path, how many times would browsers need to change the visual 
> security indicators to suit the CAs product?

[PW] Now we’re getting to it. You’re showing your true colors. Try to separate 
CAs from the browser-based UI/UX for security. CAs and EV is just one 
implementation of website identity in my opinion. “Website identity” is much 
bigger than CAs/EV. That’s why I don’t use the term “EV” much - it draws out 
hate from the CA-haters who aren’t able to see beyond their hate.

Personally, I’m aiming for a fully decentralized world for the decision making 
process around URL classification - using a token curated registry. But that’s 
the endgame. Furthermore, MetaCert has verified more domains than the total 
number of EV certs globally - for FREE. I digress and would rather not mention 
my company name - but I must, if I’m to prove you wrong or show how you are 

In other news, it is ok for some companies to generate revenue from things that 
can add value to some people’s lives. Do you like getting free services and 
becoming the product? Do you like how some browsers are creepy by tracking your 
every move so they can see advertising? 

I previously gave an example of how identity can be done for every .GOV domain 
given that it’s a highly regulated TLD. There are other gTLDs and ccTLDs that 
are regulated - they wouldn’t need third-party validation. If there was an 
indicator that told you when you were really on a .GOV site and not a deceptive 
site, I’d say that was value add.

Feel free to suggest ideas on how to fix things instead of calling my ideas as 
“stupid" - removing stuff and sticking your head in the sand screaming “EV is 
broken” doesn’t help. 

>> the inconsistencies of extended validation style visual security indicator 
>> between browsers d) users can't tell who is real or not based on extended 
>> validation style visual security indicators as company names sometimes don't 
>> match the actual site name. 
> I agree. This is why they should have been improved instead of removed. 
> Mozilla will likely iterated the UI/UX around tracking to improve adoption.
> Above. Stupid idea.

[PW] You have’t said anything that would make me think I should listen to your 
assertion about my idea being stupid. I’ve provided a massive number of data 
points from which I draw conclusions. Instead of slamming the conclusion try to 
address anything that led me to those conclusions or explain why you think they 
are wrong. 

> Ian, like every other commentator I’ve read on this subject, say things that 
> I agree with. But their conclusions and proposals are completely flawed in my 
> opinion. As I’ve said before, you don’t just remove something that doesn’t 
> see major adoption - you iterate/test. You’d only remove UI if you know for 
> sure that it can’t be improved - there’s no data to suggest that any research 
> was done around this. Mozilla have only supplied links to research that’s 
> flawed and so old it’s useless. I’m blown away by their referencing research 
> from more than 10 years ago. Some amazing people on this list weren’t even 
> working with web tech back then.
> Extended validation isn't a new concept and it has been proven it has failed.

[PW] If you read any of my previous messages you’d know that I’m pretty 
familiar with EV. Browsers who didn’t implement identity UI/UX properly are the 
ones who should be addressed - they’re the ones who are responsible for 
displaying it. 

- Paul

>> [1]  https://www.typewritten.net/writer/ev-phishing 
>> <https://www.typewritten.net/writer/ev-phishing>
>> [2]  https://stripe.ian.sh <https://stripe.ian.sh/>
> [PW] [1] https://imgur.com/Va4heuo <https://imgur.com/Va4heuo>
> - Paul
>> The original proposal that led to EV was actually to validate the company 
>> logos and present them as logotype.
>> There was a ballot proposed here to bar any attempt to even experiment with 
>> logotype. This was withdrawn after I pointed out to Mozilla staff that there 
>> was an obvious anti-Trust concern in using the threat of withdrawing roots 
>> from a browser with 5% market share to suppress deployment of any feature.
>> Now for the record, that is what a threat looks like: we will destroy your 
>> company if you do not comply with our demands. Asking to contact the Mozilla 
>> or Google lawyers because they really need to know what one of their 
>> employees is doing is not.
>> Again, the brief here is to provide security signals that allow the user to 
>> protect themselves.
>> -- 
>> Website: http://hallambaker.com/ <http://hallambaker.com/>

dev-security-policy mailing list

Reply via email to