Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-21 Thread Eric Shepherd (Sheppy) 
I’m glad to hear it; the presence of the EV indicator often occupied so
much space that the URL bar would become practically unusable. Example
attached.


On August 12, 2019 at 4:05:09 AM, Johann Hofmann (jhofm...@mozilla.com)
wrote:

The Chrome team recently removed EV indicators from the URL bar in Canary
and announced their intent to ship this change in Chrome 77
.
Safari is also no longer showing the EV entity name instead of the domain
name in their URL bar, distinguishing EV only by the green color. Edge is
also no longer showing the EV entity name in their URL bar.


Eric Shepherd
Senior Technical Writer
MDN Web Docs 
Blog: https://www.bitstampede.com/
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-14 Thread Dão Gottwald 
Are we going to remove support for this pref in a subsequent release?

Am Mo., 12. Aug. 2019 um 10:05 Uhr schrieb Johann Hofmann <
jhofm...@mozilla.com>:

> In desktop Firefox 70, we intend to remove Extended Validation (EV)
> indicators from the identity block (the left hand side of the URL bar which
> is used to display security / privacy information). We will add additional
> EV information to the identity panel instead, effectively reducing the
> exposure of EV information to users while keeping it easily accessible.
>
> Before:
>
>
> After:
>
>
> The effectiveness of EV has been called into question numerous times over
> the last few years, there are serious doubts whether users notice the
> absence of positive security indicators and proof of concepts have been 
> pitting
> EV against domains  for
> phishing.
>
> More recently, it has been shown  that EV
> certificates with colliding entity names can be generated by choosing a
> different jurisdiction. 18 months have passed since then and no changes
> that address this problem have been identified.
>
> The Chrome team recently removed EV indicators from the URL bar in Canary
> and announced their intent to ship this change in Chrome 77
> .
> Safari is also no longer showing the EV entity name instead of the domain
> name in their URL bar, distinguishing EV only by the green color. Edge is
> also no longer showing the EV entity name in their URL bar.
>
>
>
> On our side a pref for this
> (security.identityblock.show_extended_validation) was added in bug 1572389
>  (thanks :evilpie
> for working on it!). We're planning to flip this pref to false in bug
> 1572936 .
>
> Please let us know if you have any questions or concerns,
>
> Wayne & Johann
> ___
> firefox-dev mailing list
> firefox-...@mozilla.org
> https://mail.mozilla.org/listinfo/firefox-dev
>
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

RE: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-12 Thread Marissa (Reese) Wood 
I quite like this.  Thank you for the update!

 

Marissa (Reese) Wood, PMP, CISSP  | Cell Phone   303-506-3282 
|  <mailto:re...@mozilla.com> re...@mozilla.com | Slack: #Marissa (Reese)

 

From: firefox-dev  On Behalf Of Johann Hofmann
Sent: Monday, August 12, 2019 10:05 AM
To: Firefox Dev 
Cc: dev-platform ; Wayne Thayer 

Subject: Intent to Ship: Move Extended Validation Information out of the URL bar

 

In desktop Firefox 70, we intend to remove Extended Validation (EV) indicators 
from the identity block (the left hand side of the URL bar which is used to 
display security / privacy information). We will add additional EV information 
to the identity panel instead, effectively reducing the exposure of EV 
information to users while keeping it easily accessible.

 

Before:

 

  
<https://lh4.googleusercontent.com/pSX4OAbkPCu2mhBfeleKKe842DgW28-xAIlRjhtBlwFdTzNhtNE7R43nqBS1xifTuB0L8LO979yhpPpLUIOtDdfJd3UwBmdxFBl7eyX_JihYi7FqP-2LQ5xw4FFvQk2bEObdKQ9F>
 

 

After:

 

  
<https://lh5.googleusercontent.com/kL-WUskmTnKh4vepfU3cSID_ooTXNo9BvBOmIGR1RPvAN7PGkuPFLsSMdN0VOqsVb3sAjTsszn_3LjRf4Q8eoHtkrNWWmmxOo3jBRoEJV--XJndcXiCeTTAmE4MuEfGy8RdY_h5u>
 

 

The effectiveness of EV has been called into question numerous times over the 
last few years, there are serious doubts whether users notice the absence of 
positive security indicators and proof of concepts have been  
<https://www.typewritten.net/writer/ev-phishing/> pitting EV against domains 
for phishing.

 

More recently, it has been  <https://stripe.ian.sh/> shown that EV certificates 
with colliding entity names can be generated by choosing a different 
jurisdiction. 18 months have passed since then and no changes that address this 
problem have been identified.

 

The Chrome team recently removed EV indicators from the URL bar in Canary and 
announced  
<https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/h1bTcoTpfeI>
 their intent to ship this change in Chrome 77. Safari is also no longer 
showing the EV entity name instead of the domain name in their URL bar, 
distinguishing EV only by the green color. Edge is also no longer showing the 
EV entity name in their URL bar.

 

On our side a pref for this (security.identityblock.show_extended_validation) 
was added in  <https://bugzilla.mozilla.org/show_bug.cgi?id=1572389> bug 
1572389 (thanks :evilpie for working on it!). We're planning to flip this pref 
to false in  <https://bugzilla.mozilla.org/show_bug.cgi?id=1572936> bug 1572936.

 

Please let us know if you have any questions or concerns,

 

Wayne & Johann

___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-12 Thread Johann Hofmann 
In desktop Firefox 70, we intend to remove Extended Validation (EV)
indicators from the identity block (the left hand side of the URL bar which
is used to display security / privacy information). We will add additional
EV information to the identity panel instead, effectively reducing the
exposure of EV information to users while keeping it easily accessible.

Before:


After:


The effectiveness of EV has been called into question numerous times over
the last few years, there are serious doubts whether users notice the
absence of positive security indicators and proof of concepts have been pitting
EV against domains  for
phishing.

More recently, it has been shown  that EV
certificates with colliding entity names can be generated by choosing a
different jurisdiction. 18 months have passed since then and no changes
that address this problem have been identified.

The Chrome team recently removed EV indicators from the URL bar in Canary
and announced their intent to ship this change in Chrome 77
.
Safari is also no longer showing the EV entity name instead of the domain
name in their URL bar, distinguishing EV only by the green color. Edge is
also no longer showing the EV entity name in their URL bar.



On our side a pref for this
(security.identityblock.show_extended_validation) was added in bug 1572389
 (thanks :evilpie for
working on it!). We're planning to flip this pref to false in bug 1572936
.

Please let us know if you have any questions or concerns,

Wayne & Johann
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform