Duane wrote:
As usually I've come to the conclusion that mozilla reps are asking for feedback, but don't really care for answers as their minds are either made up, or just don't care.
I certainly care for answers. Of course, I'm not going to be the one doing the implementing; I suspect that the decision will be taken by Dan Veditz (security) and Mike Beltzner (UI), in consultation with others.
Until numerous conditions have been met forcing all sites doing some form of business into using EV certificates (and paying through the nose for it), people will continue to use cheap certs to operate, and phishing sites will continue not to use certs at all, and so what is gained unless you not only have an approach for how to issue EV certs compared to enforcing their use?
If phishing sites continue to use no certs, and people continue to be fooled, then yes, EV does not help. As I've said before, it's hard to protect the guy who types his CC number into any form which asks for it. Some amount of user education is inevitable - that is true even if EV didn't exist.
On the other hand, if you want to spoof PayPal and PayPal has an EV certificate, one might hope that the fact that there's been a green bar every time before, combined with Paypal's regular reminders on various pages to "check for the green bar", might make people pause for thought if the bar is not there. It's a lot more obvious than the lock, after all.
This is where the scammers will win, because to get the majority across you would have to have a low price point, and that isn't going to happen.
I don't think that's necessarily true. And anyway, neither you or I have a good idea what sort of price point these certificates are going to come out at. Given that there is competition in the CA market, I'm hoping the prices will be reasonable. And, as the green bar becomes synonymous with a degree of safety, more sites will want it.
What's really sad here is instead of leading security mozilla are happy to follow like sheeple, instead of embracing university researchers in ways of making browsing safe, they are embracing and extending Verisign's bank balance.
Now is not the time to again bring up my personal issues with various proposals which have been made in the past; but I would comment in general that often, while proposals have a good understanding of security, they have a less than perfect understanding of usability.
Gerv _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
