On 17/08/2019 03:15, Peter Gutmann wrote:
Corey Bonnell via dev-security-policy
writes:
the effectiveness of the EV UI treatment is predicated on whether or not the
user can memorize which websites always use EV certificates *and* no longer
proceed with using the website if the EV treatment
I don't know about other CAs, but at SSL.com we issue a very limited number of
EV SSL certificates in comparison to other certificates so it's not a big
revenue driver.
However, as a user I support EV SSL. I personally have never come across a scam
site that displayed an EV SSL (I'm not saying
Corey Bonnell via dev-security-policy
writes:
>the effectiveness of the EV UI treatment is predicated on whether or not the
>user can memorize which websites always use EV certificates *and* no longer
>proceed with using the website if the EV treatment isn't shown. That's a huge
>cognitive
Leo Grove via dev-security-policy
writes:
>Are you referring to EV Code Signing certificates? I agree that needs to be
>addressed in another forum, but this discussion in on EV SSL/TLS and their
>value (or lack thereof) in the browser UI. Browsers do not support EV Code
>Signing in the UI as
Doug Beattie writes:
>One of the reasons that phishers don’t get EV certificates is because the
>vetting process requires several interactions and corporate repositories
>which end up revealing more about their identity. This leaves a trail back
>to the individual that set up the fake site
If one compares the first EV specification with the current EV
specification one will notice that the EV specification hasn't changed that
much during its lifetime. The issues presented during the last years though
research have been known about since the first adoption of the EV
specification. If
Honestly the issues, as I see them, are twofold:
1. When I visit a site for the first time, how do I know I should expect
an EV certificate? I am conscientious about subsequent visits, especially
financial industry sites.
2. The browsers seem to have a bias toward the average user, that user
I have a few more comments/annotations:
(1) Pro EV persons argue "Criminals have problems getting an EV certificate, so
most of them are using only DV certificates".
Anti EV persons argue "Criminals just don't use EV certificates, because they
know that end users don't look at the EV indicator
On Fri, Aug 16, 2019 at 12:42:35PM -0700, tim--- via dev-security-policy wrote:
>
> By way of background, until recently almost all phishing and malware was on
> unencrypted http sites. They received a neutral UI, and the bad guys didn’t
> have to spend time and money getting a certificate,
Thanks Tim, well written and I completely agree!
In this thread Issues have been raised about that EV validation is not
perfect and that criminals can obtain an EV certificate (if they reveal
their identity). I also agree that the validation can be improved, but as
Tim stated, that doesn't mean
My apologies for not weighing in earlier, but like many others I was surprised
by this announcement and had to make time to craft this message around other
pressing demands. The original announcement above that the EV UI would be
removed in October cited authorities and articles that were in
>
> See also the screenshot I posted earlier. That was from a black-market web
> site selling EV certificates to anyone with the stolen credit cards to pay for
> them. These are legit EV certs issued to legit companies, available off the
> shelf for criminals to use. For a little extra payment
On Thursday, August 15, 2019 at 10:59:32 AM UTC-7, Doug Beattie wrote:
> Yes, I work for a CA that issues EV certificates, but if there was no value
> in them, then our customers would certainly not be paying extra for them.
> Shouldn’t the large enterprises that see a value in identity (as
On Fri, 16 Aug 2019 13:31:08 +
Doug Beattie via dev-security-policy
wrote:
> DB: One of the reasons that phishers don't get EV certificates is
> because the vetting process requires several interactions and
> corporate repositories which end up revealing more about their
> identity. This
.auckland.ac.nz; mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out of
> the URL bar
>
> On Fri, 16 Aug 2019 at 14:31, Doug Beattie via dev-security-policy
> mailto:dev-security-policy@lists.mozilla.org > w
From: Ben Laurie
Sent: Friday, August 16, 2019 9:33 AM
To: Doug Beattie
Cc: Jonathan Rudenberg ; Peter Gutmann
; mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out of
the URL bar
On Fri, 16 Aug 2019 at 14:31, Doug
On Fri, 16 Aug 2019 at 14:31, Doug Beattie via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> DB: Yes, that's true. I was saying that phishing sites don't use EV, not
> that EV sites don't get phished
Surely this shows that EV is not needed to make phishing work, not that
From: Jonathan Rudenberg
Sent: Friday, August 16, 2019 9:04 AM
To: Doug Beattie ; Peter Gutmann
; mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out
of the URL bar
On Fri, Aug 16, 2019, at 07:56, Doug Beattie via dev
On Fri, Aug 16, 2019, at 07:56, Doug Beattie via dev-security-policy wrote:
> Peter,
>
> I'm not claiming that EV reduces phishing globally, just for those sites
> that use them. Do you have a chart that breaks down phishing attacks by SSL
> certificate type?
>
> Here is some research that
Validation Information out
of the URL bar
Doug Beattie writes:
>Do you have any empirical data to backup the claims that there is no
>benefit from EV certificates?
Uhhh... I don't even know where to start. We have over ten years of data
and research publications on this, and the lack of b
Eric Mill writes:
>CAs should be careful about casually and dramatically overestimating the
>roadblocks that EV certificates present to attackers.
See also the screenshot I posted earlier. That was from a black-market web
site selling EV certificates to anyone with the stolen credit cards to
> -Original Message-
> From: dev-security-policy On
> Behalf Of Peter Gutmann via dev-security-policy
> Sent: Friday, August 16, 2019 10:03 AM
> To: Doug Beattie ;
> mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: Fwd: Intent to Ship: Move Extended Valid
Doug Beattie writes:
>So far I see is a number of contrived test cases picking apart small
>components of EV, and no real data to back it up.
See the phishing stats from any source you care to use. I've already
mentioned the APWG which I consider the premier source, and also linked to the
SSL
Doug Beattie writes:
>Do you have any empirical data to backup the claims that there is no benefit
>from EV certificates?
Uhhh... I don't even know where to start. We have over ten years of data and
research publications on this, and the lack of benefit was explicitly cited by
Google and
On Thu, 15 Aug 2019 22:11:37 +0200
Eric Rescorla via dev-security-policy
wrote:
> I expect this is true, but it seems to me that if anything it is an
> argument that EV doesn't provide security value, not the other way
> around: DV certificates are much cheaper to obtain than EV, and so
>
/cabforum.org/wp-content/uploads/23.-Update-on-London-Protocol.pdf
>
>
>
> Baffled…
>
>
>
>
>
>
>
> From: Tom Ritter
> Sent: Thursday, August 15, 2019 1:13 PM
> To: Doug Beattie
> Cc: Peter Gutmann ; MozPol <
> mozilla-dev-security-pol...@lists
affled…
>
>
>
>
>
>
>
> From: Tom Ritter
> Sent: Thursday, August 15, 2019 1:13 PM
> To: Doug Beattie
> Cc: Peter Gutmann ; MozPol
>
> Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out of
> the URL bar
>
t; On
> Behalf Of Peter Gutmann via dev-security-policy
> Sent: Wednesday, August 14, 2019 9:04 PM
> To: mozilla-dev-security-pol...@lists.mozilla.org; Jakob Bohm
>
> Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out
> of the URL bar
>
My understanding of the days before EV was that the CAs themselves made up
the validation requirements for DV and because of this there was an uneven
validation requirements across the industry. EV was the first document
created to solve this and standardise validation requirements for a
On 8/15/2019 10:58 AM, Doug Beattie via dev-security-policy wrote:
So far I see is a number of contrived test cases picking apart small components
of EV, and no real data to back it up.
I also would like to see more evidence of problems. However, I have to
object to the idea that
Mostly
Thursday, August 15, 2019 1:13 PM
> To: Doug Beattie
> Cc: Peter Gutmann ; MozPol <
> mozilla-dev-security-pol...@lists.mozilla.org>
> Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out
> of the URL bar
>
>
>
>
>
> On Thu, Aug 1
On Thu, Aug 15, 2019, 7:46 AM Doug Beattie via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Peter,
>
> Do you have any empirical data to backup the claims that there is no
> benefit
> from EV certificates? From the reports I've seen, the percentage of
> phishing and
On Thursday, August 15, 2019 at 7:30:46 AM UTC-4, Kurt Roeckx wrote:
> On Wed, Aug 14, 2019 at 11:52:46PM -0700, Daniel Marschall via
> dev-security-policy wrote:
> > In old Firefox, I get a green bar if I visit google.com and paypal.com,
> > telling me that this is a well-known company that got
Message-
From: dev-security-policy On
Behalf Of Peter Gutmann via dev-security-policy
Sent: Wednesday, August 14, 2019 9:04 PM
To: mozilla-dev-security-pol...@lists.mozilla.org; Jakob Bohm
Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out
of the URL bar
Jakob Bohm
On Wed, Aug 14, 2019 at 11:52:46PM -0700, Daniel Marschall via
dev-security-policy wrote:
> In old Firefox, I get a green bar if I visit google.com and paypal.com,
> telling me that this is a well-known company that got the EV certificate.
> The other fake domains goog1e.com and paypa1.com only
Dear Daniel!
> Please tell me if I understand this correctly...
> Is it that DV and EV certificates now both show the same lock symbol?
> That would be a great harm in my opinion. And I do not understand why you
> want this change.
>
> I think EV is very important and I explain why.
>
> Let's
ayne
>
> -- Forwarded message -----
> From: Johann Hofmann
> Date: Mon, Aug 12, 2019 at 1:05 AM
> Subject: Intent to Ship: Move Extended Validation Information out of the
> URL bar
> To: Firefox Dev
> Cc: dev-platform , Wayne Thayer <
> wtha...@mozilla.co
Peter Bowen via dev-security-policy
writes:
>I have to admit that I'm a little confused by this whole discussion. While
>I've been involved with PKI for a while, I've never been clear on the
>problem(s) that need to be solved that drove the browser UIs and creation of
>EV certificates.
Oh,
On Wed, Aug 14, 2019 at 10:16 AM Jakob Bohm wrote:
> On 14/08/2019 18:18, Peter Bowen wrote:
> > On thing I've found really useful in working on user experience is to
> > discuss things using problem & solution statements that show the before
> and
> > after. For example, "It used to take 10
On Wed, Aug 14, 2019 at 1:16 PM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> EV was originally an initiative to make the CAs properly vet OV
> certificates, and to mark those CAs that had done a proper job.
> EV issuing CAs were permitted to still sell the
On 14/08/2019 18:18, Peter Bowen wrote:
On Tue, Aug 13, 2019 at 4:24 AM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
A policy of switching from positive to negative indicators of security
differences is no justification to switch to NO indication. And it
On Tue, Aug 13, 2019 at 4:24 AM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> A policy of switching from positive to negative indicators of security
> differences is no justification to switch to NO indication. And it
> certainly doesn't help user
Daniel Marschall via dev-security-policy
writes:
>I share the opinion with Jakob, except with the CVE. Please remove this
>change. It is unnecessary and kills the EV market.
And that was my motivation for the previous question: We know from a decade of
data that EV certs haven't made any
I share the opinion with Jakob, except with the CVE. Please remove this change.
It is unnecessary and kills the EV market.
But if you insist on keeping that UI change, maybe you can at least give the
lock symbol a different color if it is an EV cert?
ssage -
From: Johann Hofmann
Date: Mon, Aug 12, 2019 at 1:05 AM
Subject: Intent to Ship: Move Extended Validation Information out of the
URL bar
To: Firefox Dev
Cc: dev-platform , Wayne Thayer <
wtha...@mozilla.com>
In desktop Firefox 70, we intend to remove Extended Validation (EV)
in
For EV certificate being useful in email, email client software should
give a special EV treatment to such certificate. I am not aware of any
email client software that support any special EV treatment at all. Do
you have more information to share with us?
-- Man Ho
On 13-Aug-19 5:12 PM,
On 2019-08-13 05:27, Peter Gutmann wrote:
Wayne Thayer via dev-security-policy
writes:
Mozilla has announced that we plan to relocate the EV UI in Firefox 70, which
is expected to be released on 22-October. Details below.
Just out of interest, how are the CAs taking this? If there's no
Wayne Thayer via dev-security-policy
writes:
>Mozilla has announced that we plan to relocate the EV UI in Firefox 70, which
>is expected to be released on 22-October. Details below.
Just out of interest, how are the CAs taking this? If there's no more reason
to pay a substantial premium to
> On Aug 12, 2019, at 14:30, Wayne Thayer via dev-security-policy
> wrote:
>
> Mozilla has announced that we plan to relocate the EV UI in Firefox 70,
> which is expected to be released on 22-October. Details below.
Relocate seems a wrong word here. You are basically removing it. A few geeks
-- Forwarded message -
From: Johann Hofmann
Date: Mon, Aug 12, 2019 at 1:05 AM
Subject: Intent to Ship: Move Extended Validation Information out of the
URL bar
To: Firefox Dev
Cc: dev-platform , Wayne Thayer <
wtha...@mozilla.com>
In desktop Firefox 70, we intend to remove Ex
101 - 150 of 150 matches
Mail list logo