Johnathan Nightingale wrote:
> The second part is critical, because one thing I haven't seen reflected
> much in this thread (for obvious reasons) is that a cert is not the only
> source of info we have here. We have a user's browsing history ("Note:
I posted some comments on this exact topic a few weeks/months ago.
In the past, before EV certs were dreamt up there were university
based/trained security researchers doing trials on how to protect users
by altering the chrome and other techniques, however these researchers
were shunned by Mozilla developers and staff and they basically left to
pursue the same effort into building tools etc for other products as
they felt their time/efforts were being wasted.
HP even released a tool bar for IE based on some of the researched they
published.
Now the same amount of research hasn't been ever looked at for EV, in
fact the only research on this topic is one study that shows that
researchers can make people "feel" safe by having a green bar, even if
the site is a scam site people feel they are doing the right thing, lets
hope history has been learnt from.
So why is it EV is being given special treatment with little or no
positive research, yet other techniques are basically being ignored? Is
it because there is no money/business model in actually protecting users
properly?
--
Best regards,
Duane
http://www.cacert.org - Free Security Certificates
http://www.nodedb.com - Think globally, network locally
http://www.sydneywireless.com - Telecommunications Freedom
http://e164.org - Because e164.arpa is a tax on VoIP
"In the long run the pessimist may be proved right,
but the optimist has a better time on the trip."
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
