Re: Germany's cyber-security agency [BSI] recommends Firefox as most secure browser

2019-10-19 Thread scott.helme--- via dev-security-policy 

> If I’m right, they might get upset with the removal of the UI.

Hey Paul,

To the best of my knowledge the UI isn't being removed, it's simply being moved 
to another location. If a consumer wishes to continue viewing the EV UI they 
can with a simple, single click. As a result, this shouldn't be any cause for 
concern.

Kind regards, 

Scott.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Germany's cyber-security agency [BSI] recommends Firefox as most secure browser

2019-10-18 Thread scott.helme--- via dev-security-policy 

> I hope the Mozilla community will celebrate this honor, but will also 
> reconsider its proposal to drop support for EV certificates – that would mean 
> that Firefox no longer meets all BSI requirements for a secure browser.

Hey Kirk,

Can you link to where Mozilla (or any other browser vendor) has stated their 
intention to drop support for EV certificates? Unless you're confusing the 
recent/upcoming UI changes surrounding EV, I've seen no such intention from the 
browsers. EV certificates will continue to work just as OV and DV certificates 
will.

Kind regards, 

Scott.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-19 Thread scott.helme--- via dev-security-policy 
> 
> What evidence or research shows that the new location is providing better
> protection for the end users?

What evidence or research shows that any location provides any protection for 
the end users? 
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: On the value of EV

2017-12-12 Thread scott.helme--- via dev-security-policy 
I recently talked about [1] some of the many problems I see with EV 
certificates on my blog but looking at the tangible security benefits of EV 
they can already be matched, or will soon be matched, by DV certificates. 

Certificate Transparency will be required [2] for all certificates and not just 
EV certificates. This means a mis-issued DV certificate will be exposed just as 
quickly as a mis-issued EV certificate.

The requirement to revocation check an EV certificate can be matched by a DV 
certificate using the OCSP Must-Staple [3] flag set by the CA. 

Those are both technical measures that don't rely on any user perception, 
knowledge or action for them to work, thus making them effective in all 
supporting UAs.

The remaining value of an EV certificate is then based solely on the user 
observing, understanding and responding to the presence or lack of an EV 
indicator. The same EV indicator that is stripped by Antivirus programs, 
proxies and corporate network inspection, which all happen often enough to be 
negatively impacting the roll out of TLSv1.3 at present.

Finally, looking at section 2.1.3 Excluded Purposes of the EV SSL Guidelines 
[4] we're essentially saying to the user, look, here's a company name, some 
name, *any* name, but we can't tell you anything about it other than this is 
the name. If the user doesn't already have prior knowledge of the name of the 
company they wish to do dealings with to validate against the EV UI, what value 
is telling them the name of the company? 


[1] 
https://scotthelme.co.uk/are-ev-certificates-worth-the-paper-theyre-written-on/
[2] https://scotthelme.co.uk/certificate-transparency-an-introduction/
[3] https://scotthelme.co.uk/ocsp-must-staple/
[4] https://cabforum.org/wp-content/uploads/EV-V1_6_6.pdf
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy