Re: [FORGED] Re: Firefox removes UI for site identity
On Fri, Oct 25, 2019 at 4:21 AM James Burton wrote: > Extended validation was introduced at a time when mostly everyone browsed > the internet using low/medium resolution large screen devices that provided > the room for an extended validation style visual security indicator . > Everything has moved on and purchases are made on small screen devices that > has no room to support an extended validation style visual security > indicator. Apple supported extended validation style visual security > indicator in iOS browser and it failed [1] [2]. > > It's right that we are removing the extended validation style visual > security indicator from browsers because of a) the above statement b) > normal users don't understand extended validation style visual security > indicators c) the inconsistencies of extended validation style visual > security indicator between browsers d) users can't tell who is real or not > based on extended validation style visual security indicators as company > names sometimes don't match the actual site name. > > [1] https://www.typewritten.net/writer/ev-phishing > [2] https://stripe.ian.sh > The original proposal that led to EV was actually to validate the company logos and present them as logotype. There was a ballot proposed here to bar any attempt to even experiment with logotype. This was withdrawn after I pointed out to Mozilla staff that there was an obvious anti-Trust concern in using the threat of withdrawing roots from a browser with 5% market share to suppress deployment of any feature. Now for the record, that is what a threat looks like: we will destroy your company if you do not comply with our demands. Asking to contact the Mozilla or Google lawyers because they really need to know what one of their employees is doing is not. Again, the brief here is to provide security signals that allow the user to protect themselves. -- Website: http://hallambaker.com/ ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: [FORGED] Re: Firefox removes UI for site identity
Extended validation was introduced at a time when mostly everyone browsed the internet using low/medium resolution large screen devices that provided the room for an extended validation style visual security indicator . Everything has moved on and purchases are made on small screen devices that has no room to support an extended validation style visual security indicator. Apple supported extended validation style visual security indicator in iOS browser and it failed [1] [2]. It's right that we are removing the extended validation style visual security indicator from browsers because of a) the above statement b) normal users don't understand extended validation style visual security indicators c) the inconsistencies of extended validation style visual security indicator between browsers d) users can't tell who is real or not based on extended validation style visual security indicators as company names sometimes don't match the actual site name. [1] https://www.typewritten.net/writer/ev-phishing [2] https://stripe.ian.sh Thank you Burton On Fri, Oct 25, 2019 at 5:35 AM Phillip Hallam-Baker via dev-security-policy wrote: > On Thu, Oct 24, 2019 at 9:54 PM Peter Gutmann via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > Paul Walsh via dev-security-policy < > dev-security-policy@lists.mozilla.org> > > writes: > > > > >we conducted the same research with 85,000 active users over a period of > > >12 months > > > > As I've already pointed out weeks ago when you first raised this, your > > marketing department conducted a survey of EV marketing effectiveness. > If > > you have a refereed, peer-reviewed study published at a conference or in > > an academic journal, please reference it, not a marketing survey > > masquerading as a "study". > > > There are certainly problems with doing usability research. But right now > there is very little funding for academic studies that are worth reading. > > You didn't criticize the paper with 27 subjects split into three groups > from 2007. Nor did you criticize the fact that the conclusions were totally > misrepresented. > > So it doesn't appear to be spurious research that you have a problem with > or the misrepresentation of the results. What you seem to have a problem > with is the conclusions. > > At least with 85,000 subjects there is some chance that Paul himself has > found out something of interest. That doesn't mean that we have to accept > his conclusions as correct, or incontrovertible but I think it does mean > that he deserves to be treated with respect. > I am not at all happy with the way this discussion has gone. It seems that > contrary to the claims of openness, Mozilla has a group think problem. For > some reason it is entirely acceptable to attack CAs for any reason and with > the flimsiest of evidence. > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: [FORGED] Re: Firefox removes UI for site identity
On Thu, Oct 24, 2019 at 9:54 PM Peter Gutmann via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Paul Walsh via dev-security-policy > writes: > > >we conducted the same research with 85,000 active users over a period of > >12 months > > As I've already pointed out weeks ago when you first raised this, your > marketing department conducted a survey of EV marketing effectiveness. If > you have a refereed, peer-reviewed study published at a conference or in > an academic journal, please reference it, not a marketing survey > masquerading as a "study". There are certainly problems with doing usability research. But right now there is very little funding for academic studies that are worth reading. You didn't criticize the paper with 27 subjects split into three groups from 2007. Nor did you criticize the fact that the conclusions were totally misrepresented. So it doesn't appear to be spurious research that you have a problem with or the misrepresentation of the results. What you seem to have a problem with is the conclusions. At least with 85,000 subjects there is some chance that Paul himself has found out something of interest. That doesn't mean that we have to accept his conclusions as correct, or incontrovertible but I think it does mean that he deserves to be treated with respect. I am not at all happy with the way this discussion has gone. It seems that contrary to the claims of openness, Mozilla has a group think problem. For some reason it is entirely acceptable to attack CAs for any reason and with the flimsiest of evidence. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: [FORGED] Re: Firefox removes UI for site identity
Apologies for the massive number of typos. I was angry when I read the response to my thoughtful messages. I tried my best to hold back. I didn’t even have the energy to check what I’d written before hitting send. > On Oct 24, 2019, at 7:37 PM, Paul Walsh wrote: > > >> On Oct 24, 2019, at 6:53 PM, Peter Gutmann wrote: >> >> Paul Walsh via dev-security-policy >> writes: >> >>> we conducted the same research with 85,000 active users over a period of >>> 12 months >> >> As I've already pointed out weeks ago when you first raised this, your >> marketing department conducted a survey of EV marketing effectiveness. > > [PW] With respect Peter, you articulate your opinion doesn’t make it a matter > of fact. Read the article properly and you will see that it’s not from a > marketing department. It’s a small startup that wanted to conduct a social > experiment. > >> If >> you have a refereed, peer-reviewed study published at a conference or in >> an academic journal, please reference it, not a marketing survey >> masquerading as a "study”. > > Rubbish. We don’t need to publish at a conference or in an academic journal > for it to demonstrate a point. If *you* don’t want to trust it, that’s ok. I > don’t expect everyone to trust everything that is written. > > As Homer Simpson said; “70% of all reports are made up”. > > Our work is not marketing - you obviously didn’t read the methodology and the > reasons or you wouldn’t make such silly comments. > >> >> A second suggestion, if you don't want to publish any research (by which I >> mean real research, not rent-seeking CA marketing) supporting your position, > > Did you read any of the words I wrote? I’ve said more than once that I don’t > work for a CA - never have. You’re obviously a CA-hater and hate everything > that’s ever discussed about website identity. Haters are gonna hate. I > couldn’t be more impartial. > > >> is that you fork Firefox - it is after all an open-source product - add >> whatever EV UI you like to it, and publish it as an alternative to Firefox. >> If your approach works as you claim, it'll be so obviously superior to >> Firefox that everyone will go with your fork rather than the original. > > Another weird comment. Forking code and building products doesn’t mean people > will use it. I have nothing to prove to anyone. If all the browser vendors > did as I suggest it would mean there’s no need for our flagship product. So > how on earth could I be biased. My commentary or counter productive for my > shareholders and team. But I care about what’s in the best of industry. You > clearly don’t because you need to have the word “Google” or “Stanford” > stamped on a PDF. None of the authors of any of those documents come close to > the level of experience that my team and I have - including our industry > contributions. I was the first person to ever re-write Tim Berner’s Lee’s > vision of the “one web” when I co-founded the Mobile Web Initiative. I > shouldn’t have to throw these things around just to appease you. Do your > research if you actually care. > >> >> For everyone else who feels this interminable debate has already gone on >> far too long and I'm not helping it, yeah, sorry, I'd consigned the thread >> to the spam folder for awhile, had a brief look back, and saw this, which >> indicates it's literally gone nowhere in about a month. > > Go play in your spam folder for a little longer because I’m done responding > to your insults. You didn’t question anything outside our intent which is to > question my integrity. I won’t accept that - it’s as insulting as it gets. > >> >> I can see why Mozilla avoided this endless broken-record discussion, it's >> not contributing anything but just going round and round in circles. > > It’s going around in circles because you refuse to take the time and effort > to read what has been written. Instead, you assume we have ulterior motives. > As I’ve said, my motives are not necessarily in the best interest of my > company. > > - Paul > >> >> Peter. > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: [FORGED] Re: Firefox removes UI for site identity
> On Oct 24, 2019, at 6:53 PM, Peter Gutmann wrote: > > Paul Walsh via dev-security-policy > writes: > >> we conducted the same research with 85,000 active users over a period of >> 12 months > > As I've already pointed out weeks ago when you first raised this, your > marketing department conducted a survey of EV marketing effectiveness. [PW] With respect Peter, you articulate your opinion doesn’t make it a matter of fact. Read the article properly and you will see that it’s not from a marketing department. It’s a small startup that wanted to conduct a social experiment. > If > you have a refereed, peer-reviewed study published at a conference or in > an academic journal, please reference it, not a marketing survey > masquerading as a "study”. Rubbish. We don’t need to publish at a conference or in an academic journal for it to demonstrate a point. If *you* don’t want to trust it, that’s ok. I don’t expect everyone to trust everything that is written. As Homer Simpson said; “70% of all reports are made up”. Our work is not marketing - you obviously didn’t read the methodology and the reasons or you wouldn’t make such silly comments. > > A second suggestion, if you don't want to publish any research (by which I > mean real research, not rent-seeking CA marketing) supporting your position, Did you read any of the words I wrote? I’ve said more than once that I don’t work for a CA - never have. You’re obviously a CA-hater and hate everything that’s ever discussed about website identity. Haters are gonna hate. I couldn’t be more impartial. > is that you fork Firefox - it is after all an open-source product - add > whatever EV UI you like to it, and publish it as an alternative to Firefox. > If your approach works as you claim, it'll be so obviously superior to > Firefox that everyone will go with your fork rather than the original. Another weird comment. Forking code and building products doesn’t mean people will use it. I have nothing to prove to anyone. If all the browser vendors did as I suggest it would mean there’s no need for our flagship product. So how on earth could I be biased. My commentary or counter productive for my shareholders and team. But I care about what’s in the best of industry. You clearly don’t because you need to have the word “Google” or “Stanford” stamped on a PDF. None of the authors of any of those documents come close to the level of experience that my team and I have - including our industry contributions. I was the first person to ever re-write Tim Berner’s Lee’s vision of the “one web” when I co-founded the Mobile Web Initiative. I shouldn’t have to throw these things around just to appease you. Do your research if you actually care. > > For everyone else who feels this interminable debate has already gone on > far too long and I'm not helping it, yeah, sorry, I'd consigned the thread > to the spam folder for awhile, had a brief look back, and saw this, which > indicates it's literally gone nowhere in about a month. Go play in your spam folder for a little longer because I’m done responding to your insults. You didn’t question anything outside our intent which is to question my integrity. I won’t accept that - it’s as insulting as it gets. > > I can see why Mozilla avoided this endless broken-record discussion, it's > not contributing anything but just going round and round in circles. It’s going around in circles because you refuse to take the time and effort to read what has been written. Instead, you assume we have ulterior motives. As I’ve said, my motives are not necessarily in the best interest of my company. - Paul > > Peter. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: [FORGED] Re: Firefox removes UI for site identity
Paul Walsh via dev-security-policy writes: >we conducted the same research with 85,000 active users over a period of >12 months As I've already pointed out weeks ago when you first raised this, your marketing department conducted a survey of EV marketing effectiveness. If you have a refereed, peer-reviewed study published at a conference or in an academic journal, please reference it, not a marketing survey masquerading as a "study". A second suggestion, if you don't want to publish any research (by which I mean real research, not rent-seeking CA marketing) supporting your position, is that you fork Firefox - it is after all an open-source product - add whatever EV UI you like to it, and publish it as an alternative to Firefox. If your approach works as you claim, it'll be so obviously superior to Firefox that everyone will go with your fork rather than the original. For everyone else who feels this interminable debate has already gone on far too long and I'm not helping it, yeah, sorry, I'd consigned the thread to the spam folder for awhile, had a brief look back, and saw this, which indicates it's literally gone nowhere in about a month. I can see why Mozilla avoided this endless broken-record discussion, it's not contributing anything but just going round and round in circles. Peter. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
