On Wed, Aug 28, 2019 at 11:51:37AM -0700, Josef Schneider via
dev-security-policy wrote:
> Am Dienstag, 27. August 2019 00:48:38 UTC+2 schrieb Matt Palmer:
> > On Mon, Aug 26, 2019 at 05:39:14AM -0700, Josef Schneider via
> > dev-security-policy wrote:
> > > Sure I can register a company and get
Am Dienstag, 27. August 2019 00:48:38 UTC+2 schrieb Matt Palmer:
> On Mon, Aug 26, 2019 at 05:39:14AM -0700, Josef Schneider via
> dev-security-policy wrote:
> > Sure I can register a company and get an EV certificate for that company.
> > But can I do this completely anonymous like getting a DV
On Mon, Aug 26, 2019 at 05:39:14AM -0700, Josef Schneider via
dev-security-policy wrote:
> Sure I can register a company and get an EV certificate for that company.
> But can I do this completely anonymous like getting a DV cert?
Yes.
> Nobody is arguing that EV certificates are perfect and eve
On 8/26/2019 5:39 AM, Josef Schneider via dev-security-policy wrote:
Am Sonntag, 18. August 2019 20:05:42 UTC+2 schrieb Ronald Crane:
On 8/18/2019 12:39 AM, Leo Grove via dev-security-policy wrote:
Deploying a Stripe Inc EV SSL from a state other than CA is one thing, but
using an EV SSL in co
On Mon, Aug 26, 2019 at 5:39 AM Josef Schneider via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Am Sonntag, 18. August 2019 20:05:42 UTC+2 schrieb Ronald Crane:
> > On 8/18/2019 12:39 AM, Leo Grove via dev-security-policy wrote:
> > > Deploying a Stripe Inc EV SSL from a
Am Sonntag, 18. August 2019 20:05:42 UTC+2 schrieb Ronald Crane:
> On 8/18/2019 12:39 AM, Leo Grove via dev-security-policy wrote:
> > Deploying a Stripe Inc EV SSL from a state other than CA is one thing, but
> > using an EV SSL in conjunction with a domain name and website with the true
> > int
>
> What evidence or research shows that the new location is providing better
> protection for the end users?
What evidence or research shows that any location provides any protection for
the end users?
___
dev-security-policy mailing list
dev-securit
On Sun, Aug 18, 2019 at 09:14:52AM +0200, Paul van Brouwershaven wrote:
> On Sun, 18 Aug 2019, 07:18 Matt Palmer via dev-security-policy, <
> dev-security-policy@lists.mozilla.org> wrote:
> > On Thu, Aug 15, 2019 at 05:58:56PM +, Doug Beattie via
> > dev-security-policy wrote:
> > > Shouldn’t t
Daniel Marschall via dev-security-policy
writes:
>I just looked at Opera and noticed that they don't have any UI difference at
>all, which means I have to open the X.509 certificate to see if it is EV or
>not.
Does anyone know when Opera made the change? They had EV UI at one point, and
then t
On Sun, Aug 18, 2019 at 01:35:55PM -0700, Daniel Marschall via
dev-security-policy wrote:
> Am Sonntag, 18. August 2019 07:18:56 UTC+2 schrieb Matt Palmer:
> > [...] From what I can see so far,
> > browser vendors aren't "ending" EV certificates, a couple of them are merely
> > modifying their UIs
Am Sonntag, 18. August 2019 07:18:56 UTC+2 schrieb Matt Palmer:
>
> [...] From what I can see so far,
> browser vendors aren't "ending" EV certificates, a couple of them are merely
> modifying their UIs guided by relevant research into the efficacy (or lack
> thereof) of the current UI.
>
> - Mat
On 8/18/2019 12:39 AM, Leo Grove via dev-security-policy wrote:
Deploying a Stripe Inc EV SSL from a state other than CA is one thing, but
using an EV SSL in conjunction with a domain name and website with the true
intent to dupe potential customers is another matter. I'm trying to get past
th
On Sunday, August 18, 2019 at 12:15:58 AM UTC-5, Matt Palmer wrote:
> On Fri, Aug 16, 2019 at 10:03:53PM -0700, Leo Grove via dev-security-policy
> wrote:
> > However, as a user I support EV SSL. I personally have never come across
> > a scam site that displayed an EV SSL (I'm not saying they don
On Sun, 18 Aug 2019, 07:18 Matt Palmer via dev-security-policy, <
dev-security-policy@lists.mozilla.org> wrote:
> On Thu, Aug 15, 2019 at 05:58:56PM +, Doug Beattie via
> dev-security-policy wrote:
> > Shouldn’t the large enterprises that see a value in identity (as
> > does GlobalSign) drive
On Fri, Aug 16, 2019 at 01:37:40PM +, Doug Beattie via dev-security-policy
wrote:
> DB: Yes, that's true. I was saying that phishing sites don't use EV, not
> that EV sites don't get phished
>
> Surely this shows that EV is not needed to make phishing work, not that EV
> reduces phishing?
>
On Thu, Aug 15, 2019 at 05:58:56PM +, Doug Beattie via dev-security-policy
wrote:
> Shouldn’t the large enterprises that see a value in identity (as
> does GlobalSign) drive the need for ending EV certificates?
Can you point me to the in-progress discussion in the CA/B Forum lists
that is pro
On Fri, Aug 16, 2019 at 10:03:53PM -0700, Leo Grove via dev-security-policy
wrote:
> However, as a user I support EV SSL. I personally have never come across
> a scam site that displayed an EV SSL (I'm not saying they don't exist).
> Has anyone else come across a "scam site" displaying EV that's
I don't know about other CAs, but at SSL.com we issue a very limited number of
EV SSL certificates in comparison to other certificates so it's not a big
revenue driver.
However, as a user I support EV SSL. I personally have never come across a scam
site that displayed an EV SSL (I'm not saying
Leo Grove via dev-security-policy
writes:
>Are you referring to EV Code Signing certificates? I agree that needs to be
>addressed in another forum, but this discussion in on EV SSL/TLS and their
>value (or lack thereof) in the browser UI. Browsers do not support EV Code
>Signing in the UI as far
Doug Beattie writes:
>One of the reasons that phishers don’t get EV certificates is because the
>vetting process requires several interactions and corporate repositories
>which end up revealing more about their identity. This leaves a trail back
>to the individual that set up the fake site which
>
> See also the screenshot I posted earlier. That was from a black-market web
> site selling EV certificates to anyone with the stolen credit cards to pay for
> them. These are legit EV certs issued to legit companies, available off the
> shelf for criminals to use. For a little extra payment
On Thursday, August 15, 2019 at 10:59:32 AM UTC-7, Doug Beattie wrote:
> Yes, I work for a CA that issues EV certificates, but if there was no value
> in them, then our customers would certainly not be paying extra for them.
> Shouldn’t the large enterprises that see a value in identity (as does
mann
> pgut...@cs.auckland.ac.nz; mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out of
> the URL bar
>
> On Fri, 16 Aug 2019 at 14:31, Doug Beattie via dev-security-policy
> mailto:dev-security-policy@lists.mo
From: Ben Laurie
Sent: Friday, August 16, 2019 9:33 AM
To: Doug Beattie
Cc: Jonathan Rudenberg ; Peter Gutmann
; mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out of
the URL bar
On Fri, 16 Aug 2019 at 14:31, Doug
On Fri, 16 Aug 2019 at 14:31, Doug Beattie via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> DB: Yes, that's true. I was saying that phishing sites don't use EV, not
> that EV sites don't get phished
Surely this shows that EV is not needed to make phishing work, not that
From: Jonathan Rudenberg
Sent: Friday, August 16, 2019 9:04 AM
To: Doug Beattie ; Peter Gutmann
; mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out
of the URL bar
On Fri, Aug 16, 2019, at 07:56, Doug Beattie via dev
On Fri, Aug 16, 2019, at 07:56, Doug Beattie via dev-security-policy wrote:
> Peter,
>
> I'm not claiming that EV reduces phishing globally, just for those sites
> that use them. Do you have a chart that breaks down phishing attacks by SSL
> certificate type?
>
> Here is some research that indic
ended Validation Information out
of the URL bar
Doug Beattie writes:
>Do you have any empirical data to backup the claims that there is no
>benefit from EV certificates?
Uhhh... I don't even know where to start. We have over ten years of data
and research publications on this, and the
Eric Mill writes:
>CAs should be careful about casually and dramatically overestimating the
>roadblocks that EV certificates present to attackers.
See also the screenshot I posted earlier. That was from a black-market web
site selling EV certificates to anyone with the stolen credit cards to pa
> -Original Message-
> From: dev-security-policy On
> Behalf Of Peter Gutmann via dev-security-policy
> Sent: Friday, August 16, 2019 10:03 AM
> To: Doug Beattie ;
> mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: Fwd: Intent to Ship: Move Extended Validation Info
Doug Beattie writes:
>So far I see is a number of contrived test cases picking apart small
>components of EV, and no real data to back it up.
See the phishing stats from any source you care to use. I've already
mentioned the APWG which I consider the premier source, and also linked to the
SSL S
Doug Beattie writes:
>Do you have any empirical data to backup the claims that there is no benefit
>from EV certificates?
Uhhh... I don't even know where to start. We have over ten years of data and
research publications on this, and the lack of benefit was explicitly cited by
Google and Mozill
tps://cabforum.org/wp-content/uploads/23.-Update-on-London-Protocol.pdf
>
>
>
> Baffled…
>
>
>
>
>
>
>
> From: Tom Ritter
> Sent: Thursday, August 15, 2019 1:13 PM
> To: Doug Beattie
> Cc: Peter Gutmann ; MozPol <
> mozilla-dev-security-po
>
>
> Baffled…
>
>
>
>
>
>
>
> From: Tom Ritter
> Sent: Thursday, August 15, 2019 1:13 PM
> To: Doug Beattie
> Cc: Peter Gutmann ; MozPol
>
> Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out of
> the
rity-policy
> On
> Behalf Of Peter Gutmann via dev-security-policy
> Sent: Wednesday, August 14, 2019 9:04 PM
> To: mozilla-dev-security-pol...@lists.mozilla.org; Jakob Bohm
>
> Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out
> of t
My understanding of the days before EV was that the CAs themselves made up
the validation requirements for DV and because of this there was an uneven
validation requirements across the industry. EV was the first document
created to solve this and standardise validation requirements for a
certificat
On 8/15/2019 10:58 AM, Doug Beattie via dev-security-policy wrote:
So far I see is a number of contrived test cases picking apart small components
of EV, and no real data to back it up.
I also would like to see more evidence of problems. However, I have to
object to the idea that
Mostly academ
date-on-London-Protocol.pdf
>
>
>
> Baffled…
>
>
>
>
>
>
>
> From: Tom Ritter
> Sent: Thursday, August 15, 2019 1:13 PM
> To: Doug Beattie
> Cc: Peter Gutmann ; MozPol <
> mozilla-dev-security-pol...@lists.mozilla.org>
> Subject: Re: Fwd:
/uploads/23.-Update-on-London-Protocol.pdf
Baffled…
From: Tom Ritter
Sent: Thursday, August 15, 2019 1:13 PM
To: Doug Beattie
Cc: Peter Gutmann ; MozPol
Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out of
the URL bar
On Thu, Aug 15, 2019, 7:46 AM Doug
On Thu, Aug 15, 2019, 7:46 AM Doug Beattie via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Peter,
>
> Do you have any empirical data to backup the claims that there is no
> benefit
> from EV certificates? From the reports I've seen, the percentage of
> phishing and malwa
ginal Message-
From: dev-security-policy On
Behalf Of Peter Gutmann via dev-security-policy
Sent: Wednesday, August 14, 2019 9:04 PM
To: mozilla-dev-security-pol...@lists.mozilla.org; Jakob Bohm
Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out
of the URL bar
Jakob
Jakob Bohm via dev-security-policy
writes:
>Problem example:
>[...]
You're explaining how it's supposed to work in theory, not in the real world.
We have a decade of real-world data showing that it doesn't work, that there's
no benefit from EV certificates apart from the one to CA's balance sh
On 14/08/2019 21:55, Peter Bowen wrote:
On Wed, Aug 14, 2019 at 10:16 AM Jakob Bohm wrote:
On 14/08/2019 18:18, Peter Bowen wrote:
On thing I've found really useful in working on user experience is to
discuss things using problem & solution statements that show the before
and
after. For exa
Peter Bowen via dev-security-policy
writes:
>I have to admit that I'm a little confused by this whole discussion. While
>I've been involved with PKI for a while, I've never been clear on the
>problem(s) that need to be solved that drove the browser UIs and creation of
>EV certificates.
Oh, tha
On Wed, Aug 14, 2019 at 10:16 AM Jakob Bohm wrote:
> On 14/08/2019 18:18, Peter Bowen wrote:
> > On thing I've found really useful in working on user experience is to
> > discuss things using problem & solution statements that show the before
> and
> > after. For example, "It used to take 10 minu
On Wed, Aug 14, 2019 at 1:16 PM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> EV was originally an initiative to make the CAs properly vet OV
> certificates, and to mark those CAs that had done a proper job.
> EV issuing CAs were permitted to still sell the s
On 14/08/2019 18:18, Peter Bowen wrote:
On Tue, Aug 13, 2019 at 4:24 AM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
A policy of switching from positive to negative indicators of security
differences is no justification to switch to NO indication. And it
c
On Tue, Aug 13, 2019 at 4:24 AM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> A policy of switching from positive to negative indicators of security
> differences is no justification to switch to NO indication. And it
> certainly doesn't help user understand
Daniel Marschall via dev-security-policy
writes:
>I share the opinion with Jakob, except with the CVE. Please remove this
>change. It is unnecessary and kills the EV market.
And that was my motivation for the previous question: We know from a decade of
data that EV certs haven't made any differ
I share the opinion with Jakob, except with the CVE. Please remove this change.
It is unnecessary and kills the EV market.
But if you insist on keeping that UI change, maybe you can at least give the
lock symbol a different color if it is an EV cert?
__
在 2019年8月13日星期二 UTC+8下午5:57:38,Man Ho写道:
> For EV certificate being useful in email, email client software should
> give a special EV treatment to such certificate. I am not aware of any
> email client software that support any special EV treatment at all. Do
> you have more information to sha
DO NOT SHIP THIS. Revert the change immediately and request a CVE
number for the nightlies with this change included.
That Chrome does something harmful is not surprising, and is no
justification for a supposedly independent browser to do the same.
A policy of switching from positive to negativ
For EV certificate being useful in email, email client software should
give a special EV treatment to such certificate. I am not aware of any
email client software that support any special EV treatment at all. Do
you have more information to share with us?
-- Man Ho
On 13-Aug-19 5:12 PM, Kur
On 2019-08-13 05:27, Peter Gutmann wrote:
Wayne Thayer via dev-security-policy
writes:
Mozilla has announced that we plan to relocate the EV UI in Firefox 70, which
is expected to be released on 22-October. Details below.
Just out of interest, how are the CAs taking this? If there's no mor
Wayne Thayer via dev-security-policy
writes:
>Mozilla has announced that we plan to relocate the EV UI in Firefox 70, which
>is expected to be released on 22-October. Details below.
Just out of interest, how are the CAs taking this? If there's no more reason
to pay a substantial premium to ena
Mozilla has announced that we plan to relocate the EV UI in Firefox 70,
which is expected to be released on 22-October. Details below.
If the before and after images are stripped from the email, you can view
them here:
Before:
https://lh4.googleusercontent.com/pSX4OAbkPCu2mhBfeleKKe842DgW28-xAIlR
56 matches
Mail list logo