Re: Intent to Ship: Move Extended Validation Information out of the URL bar

[Matt Palmer via dev-security-policy]

On Fri, Aug 16, 2019 at 12:42:35PM -0700, tim--- via dev-security-policy wrote:
> That’s where EV certificates can help.  Data shows that websites with EV
> certificates have a very low incidence of phishing.

[...]

> This research validates the results of an earlier study of 3,494 encrypted
> phishing sites in February 2019 [5].  In this study the distribution of
> encrypted phishing sites by certificate type was as follows:
> 
> EV0 phishing sites (0%)

If you replace "EV" in the above with "WombleSecure(TM)(PatPend) security
seal", it is equally as true, and equally irrelevant.  It's the old "tiger
repelling rock" spiel ("Do you see any tigers around?  See, it works
great!") with a splash of X.509 for flavour.

It is not the hardest problem in science to design and execute an experiment
to demonstrate EV's efficacy.  At the most basic level, it could be "here is
a site that was receiving X reports of users being phished per month, they
deployed an EV cert and their report rate went down to Y per month, here are
the confounding factors we considered and here's why they weren't the
cause".  Increase the number of sites to improve power as needed.

That no EV-issuing CA has published the results of such an experiment, given
the large revenues it would protect, and the strong signalling that browsers
have been making over (at least) the last several years, the most plausible
explanation to me is that EV-issuing CAs *have* done the experiments, and
they didn't show anything, so in the finest traditions of
commercially-motivated science, they just buried it.  The other option is
that the management EV-issuing CAs are just clueless, which is possible, but
not really any more comforting.

- Matt

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

[Matt Palmer via dev-security-policy]

On Fri, Aug 16, 2019 at 01:37:40PM +, Doug Beattie via dev-security-policy 
wrote:
> DB: Yes, that's true.  I was saying that phishing sites don't use EV, not
> that EV sites don't get phished
> 
> Surely this shows that EV is not needed to make phishing work, not that EV 
> reduces phishing?
> 
> [DB] It should show that users are safer when visiting an EV secured site.

When you have evidence of that, please feel free to share it.  Everything
that has been presented so far doesn't *actually* show that, it merely shows
something else that people then furiously hand-wave into "see, security!".

- Matt

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

[Matt Palmer via dev-security-policy]

On Thu, Aug 15, 2019 at 05:58:56PM +, Doug Beattie via dev-security-policy 
wrote:
> Shouldn’t the large enterprises that see a value in identity (as
> does GlobalSign) drive the need for ending EV certificates?

Can you point me to the in-progress discussion in the CA/B Forum lists
that is proposing to end EV certificates?  From what I can see so far,
browser vendors aren't "ending" EV certificates, a couple of them are merely
modifying their UIs guided by relevant research into the efficacy (or lack
thereof) of the current UI.

- Matt

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

[Matt Palmer via dev-security-policy]

On Fri, Aug 16, 2019 at 03:15:39PM -0700, Daniel Marschall via 
dev-security-policy wrote:
> (2) I am a pro EV person, and I do not have any financial benefit from EV
> certificates.  I do not own EV certificates, instead my own websites use
> Let's Encrypt DV certificates.  But when I visit important pages like
> Google or PayPal, I do look at the EV indicator bar, because I know that
> these pages always have an EV certificate.

This would be a stronger argument if any Google property had an EV certificate,
or if paypal.com had been displaying an EV treatment on the most commonly
used Browser/OS combo for the past year.

> different color, that would be OK for me).  We cannot say that all users
> don't care about the EV indicator.  For some users like me, it is
> important.

I'm sure a browser plugin could be developed to provide some sort of
indication that a certificate being presented was EV, and you could install
that if you were sufficiently interested.

- Matt

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

[Jakob Bohm via dev-security-policy]

On 17/08/2019 00:56, James Burton wrote:

If one compares the first EV specification with the current EV
specification one will notice that the EV specification hasn't changed that
much during its lifetime. The issues presented during the last years though
research have been known about since the first adoption of the EV
specification. If CAs really cared about EV they would have tried and
improved it during the past 10+ years but nothing happened. If browsers
decided to keep EV what would change? Nothing at all.


Latest change was May 21, 2019.  This added a way to include additional 
government identifiers and very strict validation if that was a banking 
identity.


The EV standards development has always been an adversarial thing with
relying party representatives (only browsers allowed to participate,
unfortunately) requiring stronger checks and CAs trying to minimize the
requirements imposed on them.

The alleged "issues presented during the last years through research"
are mostly red herrings.



There is no one point in discussing the removal of EV any further because
the EV specification had already died.


This change doesn't just remove EV, it kills OV too.  I have always
argued that the UI difference between EV and OV should be reduced or
removed, but removing the difference between EV and DV is so obviously
malicious it is indefensible.



On Fri, Aug 16, 2019 at 11:19 PM Matthew Hardeman via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:


Honestly the issues, as I see them, are twofold:

1.  When I visit a site for the first time, how do I know I should expect
an EV certificate?  I am conscientious about subsequent visits, especially
financial industry sites.

2.  The browsers seem to have a bias toward the average user, that user
literally being less ...smart/aware... than half of all of users.  EV is a
feature that can only benefit people who are vigilant and know what to look
for.  It seems dismissive of the more capable users, but I suppose that's
their call.


A stronger, less confusing UI indicator of EV vs. DV (the important
distinction) would greatly reduce that problem.  Instead there has been
an agenda to gradually fade the indication into invisibility, and this
is apparently the final blow.

An obvious non-malicious way forward would be:

1. Reject and revert this malicious change from Mozilla based browsers
  and market this difference as a major benefit of Firefox over the 3
  platform browsers (IE/Edge, Safari and Chrome).  Minor browsers are
  thus shown that there still is a real choice to be better too.

2. Restore the clear rule that the entire address bar will be in the
  color of the certificate validation strength, (initially green for
  EV, white for DV/none, Red for clearly invalid).  Not just a partial
  coloration.

3. Fix the indicator weaknesses (spoofable color favicon in indicator
  area, not switching to the color of a weaker page element cert,
  showing identity fields that are not the same for all page elements).

4. Use different color for OV vs. no cert/DV to reflect the actual
  difference.

5. Display the information from OV certs like the same information in
  EV certs, even if it doesn't qualify for EV color.  For example
  company name and country in OV color where those values pass all
  checks except being EV.

6. Continue to push for stronger (but not excessive) validation of
  certificate elements other than the domain name.  For example there
  should be meaningful validation that the certificate requester
  controls the claimed street address, but having to send an man to
  physically visit every business address every few years would be too
  much for regular EV certs, but still appropriate for "high value/risk
  identities" (similar to "high value/risk domains", but different
  fields).




On Fri, Aug 16, 2019 at 5:15 PM Daniel Marschall via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:


I have a few more comments/annotations:

(1) Pro EV persons argue "Criminals have problems getting an EV
certificate, so most of them are using only DV certificates".

Anti EV persons argue "Criminals just don't use EV certificates, because
they know that end users don't look at the EV indicator anyway".

I assume, we do not know which of these two assumptions fits to the
majority of criminals. So why should we make a decision (change of UI)
based on such assumptions?

(2) I am a pro EV person, and I do not have any financial benefit from EV
certificates. I do not own EV certificates, instead my own websites use
Let's Encrypt DV certificates. But when I visit important pages like

Google

or PayPal, I do look at the EV indicator bar, because I know that these
pages always have an EV certificate. If I would visit PayPal and only

see a

normal pad lock (DV), then I would instantly leave the page because I

know

that PayPal always has an EV certificate. So, at least for me, the UI
change is very negative (except if