Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar
On Sun, Aug 18, 2019 at 09:14:52AM +0200, Paul van Brouwershaven wrote: > On Sun, 18 Aug 2019, 07:18 Matt Palmer via dev-security-policy, < > dev-security-policy@lists.mozilla.org> wrote: > > On Thu, Aug 15, 2019 at 05:58:56PM +, Doug Beattie via > > dev-security-policy wrote: > > > Shouldn’t the large enterprises that see a value in identity (as > > > does GlobalSign) drive the need for ending EV certificates? > > > > Can you point me to the in-progress discussion in the CA/B Forum lists > > that is proposing to end EV certificates? From what I can see so far, > > browser vendors aren't "ending" EV certificates, a couple of them are > > merely > > modifying their UIs guided by relevant research into the efficacy (or lack > > thereof) of the current UI. > > What evidence or research shows that the new location is providing better > protection for the end users? I don't think it requires rigorous research to show that 0 >= 0. - Matt ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar
Daniel Marschall via dev-security-policy writes: >I just looked at Opera and noticed that they don't have any UI difference at >all, which means I have to open the X.509 certificate to see if it is EV or >not. Does anyone know when Opera made the change? They had EV UI at one point, and then there's this bug report: https://forums.opera.com/topic/17923/ev-certificate-looks-like-ov which blames the lack of EV UI on Chromium, so something inherited from Chrome. It looks like it's then just a side-effect of the Chrome change and allegedly "fixed in 44.0.2494.0", but Chrome 57 was from 2017, which means at some point the change got reinstated. Peter. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar
On Sun, Aug 18, 2019 at 01:35:55PM -0700, Daniel Marschall via dev-security-policy wrote: > Am Sonntag, 18. August 2019 07:18:56 UTC+2 schrieb Matt Palmer: > > [...] From what I can see so far, > > browser vendors aren't "ending" EV certificates, a couple of them are merely > > modifying their UIs guided by relevant research into the efficacy (or lack > > thereof) of the current UI. > > Matt, I don't understand this. Isn't removing the UI bling the same as > "removing" EV from the browser? Yes, but removing EV from the browser isn't the same as ending EV certificates, which is what was claimed in the message I responded to. > I guess that EV will eventually ended by the Customers/CAs. We'll have to leave it to the invisible hand of the market to sort that out. If CAs cease issuing EV TLS/SSL certificates, it will presumably be because customers are no longer buying them, and customers will cease buying them if there is no perceived value in them, which is what CAs have repeatedly said isn't the case. So CAs ceasing to issue EV TLS/SSL certificates will be a confirmation that, in fact, EV TLS/SSL certificates had no value beyond the UI "bling", as you call it, which the research overwhelmingly indicates is of trivial value. > I just looked at Opera and noticed that they don't have any UI difference > at all, which means I have to open the X.509 certificate to see if it is > EV or not. So that's one more browser vendor that sees no value in "UI bling" for EV certificates. It almost makes Firefox and Chrome look like the laggards in this decision, rather than the harbingers of a new era. - Matt ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar
Am Sonntag, 18. August 2019 07:18:56 UTC+2 schrieb Matt Palmer: > > [...] From what I can see so far, > browser vendors aren't "ending" EV certificates, a couple of them are merely > modifying their UIs guided by relevant research into the efficacy (or lack > thereof) of the current UI. > > - Matt Matt, I don't understand this. Isn't removing the UI bling the same as "removing" EV from the browser? The UI difference is either so tiny or even not-existant, so I guess that EV will eventually ended by the Customers/CAs. I just looked at Opera and noticed that they don't have any UI difference at all, which means I have to open the X.509 certificate to see if it is EV or not. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar
On 8/18/2019 12:39 AM, Leo Grove via dev-security-policy wrote: Deploying a Stripe Inc EV SSL from a state other than CA is one thing, but using an EV SSL in conjunction with a domain name and website with the true intent to dupe potential customers is another matter. I'm trying to get past the theoretical and get to real world instances. I don't understand the idea that the Stripe proof-of-concept is "theoretical". We know that phishing is epidemic, and we also know that phishers presently need -- at most -- a DV cert. The POC shows that -- should something cause phishers to need an EV cert -- they can also get one of those quickly and inexpensively. But why would a phisher bother with an EV cert if a DV cert works just as well? -R ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar
On Sunday, August 18, 2019 at 12:15:58 AM UTC-5, Matt Palmer wrote: > On Fri, Aug 16, 2019 at 10:03:53PM -0700, Leo Grove via dev-security-policy > wrote: > > However, as a user I support EV SSL. I personally have never come across > > a scam site that displayed an EV SSL (I'm not saying they don't exist). > > Has anyone else come across a "scam site" displaying EV that's not part of > > an academic exercise? > > Counter-question: why does that matter? > > - Matt It matters because someone on this discussion claimed to be able to buy an EV SSL on the black market and used it as a supporting argument against EV. I'd honestly like to know if anyone has seen one in "in the wild" so to speak. My write-up was from the perspective of a user so I'd like to know if I've been putting too much faith in EV SSL since there may be scam sites employing these pirated certificates. Deploying a Stripe Inc EV SSL from a state other than CA is one thing, but using an EV SSL in conjunction with a domain name and website with the true intent to dupe potential customers is another matter. I'm trying to get past the theoretical and get to real world instances. Leo ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar
On Sun, 18 Aug 2019, 07:18 Matt Palmer via dev-security-policy, < dev-security-policy@lists.mozilla.org> wrote: > On Thu, Aug 15, 2019 at 05:58:56PM +, Doug Beattie via > dev-security-policy wrote: > > Shouldn’t the large enterprises that see a value in identity (as > > does GlobalSign) drive the need for ending EV certificates? > > Can you point me to the in-progress discussion in the CA/B Forum lists > that is proposing to end EV certificates? From what I can see so far, > browser vendors aren't "ending" EV certificates, a couple of them are > merely > modifying their UIs guided by relevant research into the efficacy (or lack > thereof) of the current UI. > What evidence or research shows that the new location is providing better protection for the end users? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy