Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-10-16 Thread Paul Walsh via dev-security-policy
On Oct 14, 2019, at 12:07 PM, Ronald Crane via dev-security-policy wrote: > > The finding is from public information that is relevant to the current value > of EV certificates, which is a central part of this discussion. [PW] For the record, we didn't purchase an EV cert because the browser

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-10-16 Thread Paul Walsh via dev-security-policy
> On Oct 14, 2019, at 12:07 PM, Ronald Crane via dev-security-policy > wrote: > > The finding is from public information that is relevant to the current value > of EV certificates, which is a central part of this discussion. [PW] I’m still confused Ronald. And, sorry for taking so long to

Request received : Re: Intent to Ship: Move Extended Validation Information out of the URL bar ref:_00DU0Lfqj._5001v17KQlt:ref

2019-10-14 Thread Support TheFork via dev-security-policy
We have received your request 03531375 and it is being processed by our support team. To leave additional comments, reply to this email. ref:_00DU0Lfqj._5001v17KQlt:ref ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-10-14 Thread Ronald Crane via dev-security-policy
The finding is from public information that is relevant to the current value of EV certificates, which is a central part of this discussion. -R On 10/14/2019 11:10 AM, Paul Walsh via dev-security-policy wrote: I have two questions Ronald: 1. What should I look for? I just see a DV cert from

Request received : Re: Intent to Ship: Move Extended Validation Information out of the URL bar ref:_00DU0Lfqj._5001v17KPuw:ref

2019-10-14 Thread Support TheFork via dev-security-policy
We have received your request 03531223 and it is being processed by our support team. To leave additional comments, reply to this email. ref:_00DU0Lfqj._5001v17KPuw:ref ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-10-14 Thread Paul Walsh via dev-security-policy
I have two questions Ronald: 1. What should I look for? I just see a DV cert from Let’s Encrypt. 2. Why did you message the entire community about whatever it is you’ve found? Thanks, Paul Sent from my iPhone > On Oct 12, 2019, at 11:04 AM, Ronald Crane via dev-security-policy > wrote: >

Request received : Re: Intent to Ship: Move Extended Validation Information out of the URL bar ref:_00DU0Lfqj._5001v17KLYI:ref

2019-10-14 Thread Support TheFork via dev-security-policy
We have received your request 03530327 and it is being processed by our support team. To leave additional comments, reply to this email. ref:_00DU0Lfqj._5001v17KLYI:ref ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-10-14 Thread carsten.mueller.gl--- via dev-security-policy
Already the screenshots of the report from 2016 on page 3 show why no normal user can recognize if a website was encrypted or if an EV certificate was in use. The browser manufacturers must agree on a uniform, easy-to-understand presentation of the security indicators and not change them every

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-10-13 Thread balasanjay--- via dev-security-policy
I agree, based on your numbers, Let's Encrypt does seem incredibly dangerous. It reminds me of my own research into car safety; did you know over 90% of car accidents involve cars with roofs? Despite this iron-clad evidence of a massive problem, a nice gentleman from the NTSB refused to

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-10-12 Thread Ronald Crane via dev-security-policy
Just FYI, metacert.com served up this cert recently: https://crt.sh/?id=1884181370 . -R ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-10-11 Thread Paul Walsh via dev-security-policy
Everything I have ever said on this thread can now be found in one article: https://casecurity.org/2019/10/10/the-insecure-elephant-in-the-room/ This was by invitation of the CA Security Council a few months ago. I have never worked for a CA and I have never had any reason to say anything in

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-10-11 Thread Paul Walsh via dev-security-policy
I’ve replied for the record even though you say this is your last post on this particular thread, or to me. I’m good with that as I don’t think you care about what anything anyone says outside the browser vendor world anyway. > On Oct 9, 2019, at 5:09 PM, Ryan Sleevi wrote: > > > > On Wed,

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-10-09 Thread Ryan Sleevi via dev-security-policy
On Wed, Oct 9, 2019 at 7:17 PM Paul Walsh wrote: > We can all agree that almost no user knows the difference between a site > with a DV cert and a site with an EV cert. I personally came to that > conclusion years ago. I wanted data, so I asked more than 3,000 people. > Almost everyone assumed

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-10-09 Thread Paul Walsh via dev-security-policy
I’m sorry for the follow up message - I know we all get too many notifications already. But I forgot to add that I was the founder and CEO of Segala - the company referenced on the W3C website that I referred to below. Sorry about that. Paul > On Oct 9, 2019, at 4:17 PM, Paul Walsh wrote:

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-10-09 Thread Paul Walsh via dev-security-policy
> On Oct 9, 2019, at 3:23 PM, Ryan Sleevi wrote: > > > > On Wed, Oct 9, 2019 at 6:06 PM Paul Walsh via dev-security-policy > > wrote: > I believe an alternative icon to the encryption lock would make a massive > difference to combating the

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-10-09 Thread Ryan Sleevi via dev-security-policy
On Wed, Oct 9, 2019 at 6:06 PM Paul Walsh via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I believe an alternative icon to the encryption lock would make a massive > difference to combating the security threats that involve dangerous links > and websites. I provided data

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-10-09 Thread Paul Walsh via dev-security-policy
> On Oct 9, 2019, at 2:04 PM, Eric Mill wrote: > > (apologies to anyone who gets this twice, my first email got sent to some > spam folders, so I took out the example domain I used) > > Hi Paul, > > Those statements are both hyperbolic representations of others' points of > view. [PW]

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-10-09 Thread Eric Mill via dev-security-policy
(apologies to anyone who gets this twice, my first email got sent to some spam folders, so I took out the example domain I used) Hi Paul, Those statements are both hyperbolic representations of others' points of view. There are plenty of people who are skeptical about the effectiveness of EV

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-10-09 Thread Eric Mill via dev-security-policy
Hi Paul, Those statements are both hyperbolic representations of others' points of view. There are plenty of people who are skeptical about the effectiveness of EV and its associated UI who nonetheless believe that some sense of trustworthiness about websites is important. For example, Mozilla

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-10-08 Thread Paul Walsh via dev-security-policy
> On Oct 8, 2019, at 4:19 AM, carsten.mueller.gl--- via dev-security-policy > wrote: > >> But the target audience for phishing are uninformed people. People which >> have no idea what a EV cert is. People who don't even blink if the English >> on the phishing page is worse than a 5-year old

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-10-08 Thread carsten.mueller.gl--- via dev-security-policy
> But the target audience for phishing are uninformed people. People which have > no idea what a EV cert is. People who don't even blink if the English on the > phishing page is worse than a 5-year old could produce. > > You cannot base the decision if a EV indication in the browser is useful

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-09-04 Thread Matt Palmer via dev-security-policy
On Wed, Sep 04, 2019 at 03:50:40PM +0200, Kurt Roeckx via dev-security-policy wrote: > On 2019-09-04 14:14, Matt Palmer wrote: > > If EV information is of use in anti-phishing efforts, then it would be best > > for the providers of anti-phishing services to team up with CAs to describe > > the

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-09-04 Thread Kurt Roeckx via dev-security-policy
On 2019-09-04 14:14, Matt Palmer wrote: If EV information is of use in anti-phishing efforts, then it would be best for the providers of anti-phishing services to team up with CAs to describe the advantages of continuing to provide an EV certificate. If site owners, who are presumably smart

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-09-04 Thread Matt Palmer via dev-security-policy
On Tue, Sep 03, 2019 at 06:16:23PM -0700, Kirk Hall via dev-security-policy wrote: > However, I did receive authority to post the following statement from > someone who works for a major browser phishing filter (but without > disclosing the person's name or company). Here is the authorized >

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-09-03 Thread Kirk Hall via dev-security-policy
Last week I posted reasons why Mozilla shouldn’t remove the EV UI from Firefox. In addition to the discussion on how the EV UI can inform users when a website does or does not have confirmed identity before they choose to type in their password or credit card number (after a little user

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-09-02 Thread Josef Schneider via dev-security-policy
Am Sonntag, 1. September 2019 04:27:04 UTC+2 schrieb Peter Gutmann: > Since the value to criminals of EV web certs is low, it seems they're not > doing much to stop what the criminals are doing. If they did have any value > then criminals would be prepared to pay more for them, like they already

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-31 Thread Peter Gutmann via dev-security-policy
Kirk Hall via dev-security-policy writes: >does GSB use any EV certificate identity data in its phishing algorithms. Another way to think about this this is to look at it from the criminals' perspective: What's the value to criminals? To use a silly example, the value to criminals of an

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-30 Thread Nick Lamb via dev-security-policy
On Fri, 30 Aug 2019 12:02:42 -0500 Matthew Hardeman via dev-security-policy wrote: > What's not discussed in that mechanism is how Google decides what > pages are unsafe and when? Yes, but the point was to show what shape Safe Browsing API is, I guess I'd assumed this makes it obvious that EV

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-30 Thread James Burton via dev-security-policy
Kirk, I know you are really passionate about extended validation and it does come across in your correspondences on this forum and the CAB Forum but sometimes our passion or frustration leads us to divulge private information which shouldn't have been released into the public domain. Before you

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-30 Thread Kirk Hall via dev-security-policy
On Friday, August 30, 2019 at 11:38:55 AM UTC-7, Peter Bowen wrote: > On Fri, Aug 30, 2019 at 10:22 AM Kirk Hall via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > I'll just reiterate my point and then drop the subject. EV certificate > > subject information is used

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-30 Thread Ryan Sleevi via dev-security-policy
On Fri, Aug 30, 2019 at 12:06 PM Kirk Hall via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > This is super easy, and doesn't even require you to do any work, like > contacting Google Safe Browsing and asking them to participate in this > conversation. > > Here's the

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-30 Thread Peter Bowen via dev-security-policy
On Fri, Aug 30, 2019 at 10:22 AM Kirk Hall via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I'll just reiterate my point and then drop the subject. EV certificate > subject information is used by anti-phishing services and browser phishing > filters, and it would be a

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-30 Thread Kirk Hall via dev-security-policy
> OK, I'll try one last time to see if you are willing to share Google > information that you have with this group on the question at hand (Do browser > phishing filters and anti-virus apps use EV data in their anti-phishing > algorithms). > > This is super easy, and doesn't even require

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-30 Thread Matthew Hardeman via dev-security-policy
On Fri, Aug 30, 2019 at 11:56 AM Nick Lamb via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > For readers unfamiliar, let me briefly explain what Safe Browsing gives > browsers: > > For every URL you're considering displaying you calculate a whole bunch > of cryptographic

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-30 Thread Nick Lamb via dev-security-policy
On Thu, 29 Aug 2019 18:44:11 -0700 (PDT) Kirk Hall via dev-security-policy wrote: > OK, I'll try one last time to see if you are willing to share Google > information that you have with this group on the question at hand (Do > browser phishing filters and anti-virus apps use EV data in their >

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-30 Thread Matthew Hardeman via dev-security-policy
> > I’m not saying that this is the case, but merely to say that the > Yes/No/IDK does not represent the full set of feasible responses. > So let's add "I decline to make inquiries, official or otherwise" and "Policy prevents me from discussing that" to the list. It would be interesting to get

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-30 Thread Neil Dunbar via dev-security-policy
> On 30 Aug 2019, at 02:44, Kirk Hall via dev-security-policy > > wrote: > > OK, I'll try one last time to see if you are willing to share Google > information that you have with this group on the question at hand (Do browser > phishing filters

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-30 Thread Kirk Hall via dev-security-policy
On Thursday, August 29, 2019 at 6:15:44 PM UTC-7, Ryan Sleevi wrote: > On Thu, Aug 29, 2019 at 8:54 PM Kirk Hall via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > What the heck does it mean when sometimes you say you are posting "in a > > personal capacity" and

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-30 Thread Leo Grove via dev-security-policy
On Thursday, August 29, 2019 at 5:26:55 PM UTC-5, Kirk Hall wrote: > On Thursday, August 29, 2019 at 3:10:49 PM UTC-7, Ryan Sleevi wrote: > > On Thu, Aug 29, 2019 at 5:18 PM Kirk Hall via dev-security-policy < > > dev-security-policy@lists.mozilla.org> wrote: > > > > > > > > Don't argue with me,

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Matt Palmer via dev-security-policy
On Thu, Aug 29, 2019 at 02:14:10PM -0700, Kirk Hall via dev-security-policy wrote: > For EV certificates, the appeal for website owners over the past 10 years > has been that they get a distinctive EV UI that they believe protects > their consumers and their brands (again, don't argue with me but

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Ryan Sleevi via dev-security-policy
On Thu, Aug 29, 2019 at 8:54 PM Kirk Hall via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > What the heck does it mean when sometimes you say you are posting "in a > personal capacity" and sometimes you don't? It sounds like you were very prescient in your inability to

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Kirk Hall via dev-security-policy
On Thursday, August 29, 2019 at 5:28:29 PM UTC-7, Ryan Sleevi wrote: > On Thu, Aug 29, 2019 at 8:23 PM Kirk Hall via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > On Thursday, August 29, 2019 at 5:07:03 PM UTC-7, Ryan Sleevi wrote: > > > On Thu, Aug 29, 2019 at 6:26

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Ryan Sleevi via dev-security-policy
On Thu, Aug 29, 2019 at 8:23 PM Kirk Hall via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Thursday, August 29, 2019 at 5:07:03 PM UTC-7, Ryan Sleevi wrote: > > On Thu, Aug 29, 2019 at 6:26 PM Kirk Hall via dev-security-policy < > >

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Kirk Hall via dev-security-policy
On Thursday, August 29, 2019 at 5:07:03 PM UTC-7, Ryan Sleevi wrote: > On Thu, Aug 29, 2019 at 6:26 PM Kirk Hall via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > > Could you point to the browsing phishing filters and anti-phishing > > services > > > that do? It

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Ryan Sleevi via dev-security-policy
On Thu, Aug 29, 2019 at 6:26 PM Kirk Hall via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > Could you point to the browsing phishing filters and anti-phishing > services > > that do? It might be an opportunity for you to find out how they deal > with > > this, and report

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Josef Schneider via dev-security-policy
Am Donnerstag, 29. August 2019 10:59:40 UTC+2 schrieb Nick Lamb: > On Wed, 28 Aug 2019 11:51:37 -0700 (PDT) > Josef Schneider via dev-security-policy > wrote: > > > Not legally probably and this also depends on the jurisdiction. Since > > an EV cert shows the jurisdiction, a user can draw

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Kirk Hall via dev-security-policy
On Thursday, August 29, 2019 at 3:10:49 PM UTC-7, Ryan Sleevi wrote: > On Thu, Aug 29, 2019 at 5:18 PM Kirk Hall via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > > In this case, the use of EV certificates, and the presumption of > > > reputation, would lead to

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Ryan Sleevi via dev-security-policy
On Thu, Aug 29, 2019 at 5:18 PM Kirk Hall via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > In this case, the use of EV certificates, and the presumption of > > reputation, would lead to actively worse security. > > > > Did I misunderstand the scenario? > > Don't argue

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Kirk Hall via dev-security-policy
On Thursday, August 29, 2019 at 12:17:22 PM UTC-7, Ryan Sleevi wrote: > On Thu, Aug 29, 2019 at 2:49 PM Kirk Hall via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > Sure, I’m happy to explain, using Bank of America as an example. > > > Kirk, > > Thanks for

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Lee via dev-security-policy
On 8/29/19, Nick Lamb wrote: > On Thu, 29 Aug 2019 13:33:26 -0400 > Lee via dev-security-policy > wrote: > >> That it isn't my financial institution. Hopefully I'd have the >> presence of mind to save the fraud site cert, but I'd either find the >> business card of the person I've been dealing

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Jakob Bohm via dev-security-policy
On 29/08/2019 19:47, Nick Lamb wrote: > On Thu, 29 Aug 2019 17:05:43 +0200 > Jakob Bohm via dev-security-policy > wrote: > >> The example given a few messages above was a different jurisdiction >> than those two easily duped company registries. > > I see. Perhaps Vienna, Austria has a truly

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Ronald Crane via dev-security-policy
On 8/29/2019 11:07 AM, Nick Lamb via dev-security-policy wrote: ... If you _work_ for such an institution [e.g.,a bank], the best thing you could do to protect your customers against Phishing, a very popular attack that TLS is often expected to mitigate, is offer WebAuthn You also could

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread James Burton via dev-security-policy
These so called "extended" validation vetting checks on companies for extended validation certificates are supposed to provide the consumer on the website with an high level of assurance that the company has been properly validated but the fact is that these so called "extended" validation vetting

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Ryan Sleevi via dev-security-policy
On Thu, Aug 29, 2019 at 2:49 PM Kirk Hall via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Sure, I’m happy to explain, using Bank of America as an example. Kirk, Thanks for providing this example. Could you help me understand how it helps determine that things are

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Ian Carroll via dev-security-policy
On Thursday, August 29, 2019 at 11:49:16 AM UTC-7, Kirk Hall wrote: > On Thursday, August 29, 2019 at 11:01:27 AM UTC-7, Jonathan Rudenberg wrote: > > On Thu, Aug 29, 2019, at 13:39, Kirk Hall via dev-security-policy wrote: > > > This string is about Mozilla’s announced plan to remove the EV UI

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Kirk Hall via dev-security-policy
On Thursday, August 29, 2019 at 11:01:27 AM UTC-7, Jonathan Rudenberg wrote: > On Thu, Aug 29, 2019, at 13:39, Kirk Hall via dev-security-policy wrote: > > This string is about Mozilla’s announced plan to remove the EV UI from > > Firefox in October. Over time, this will tend to eliminate

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Nick Lamb via dev-security-policy
On Thu, 29 Aug 2019 13:33:26 -0400 Lee via dev-security-policy wrote: > That it isn't my financial institution. Hopefully I'd have the > presence of mind to save the fraud site cert, but I'd either find the > business card of the person I've been dealing with there or find an > old statement,

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Jonathan Rudenberg via dev-security-policy
On Thu, Aug 29, 2019, at 13:39, Kirk Hall via dev-security-policy wrote: > This string is about Mozilla’s announced plan to remove the EV UI from > Firefox in October. Over time, this will tend to eliminate confirmed > identity information about websites from the security ecosystem, as EV >

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Nick Lamb via dev-security-policy
On Thu, 29 Aug 2019 17:05:43 +0200 Jakob Bohm via dev-security-policy wrote: > The example given a few messages above was a different jurisdiction > than those two easily duped company registries. I see. Perhaps Vienna, Austria has a truly exemplary registry when it comes to such things. Do you

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Kirk Hall via dev-security-policy
This string is about Mozilla’s announced plan to remove the EV UI from Firefox in October. Over time, this will tend to eliminate confirmed identity information about websites from the security ecosystem, as EV website owners may decide it’s not worth using a n EV certificate if browsers

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Lee via dev-security-policy
On 8/29/19, Nick Lamb via dev-security-policy wrote: > On Wed, 28 Aug 2019 11:51:37 -0700 (PDT) > Josef Schneider via dev-security-policy > wrote: > >> Not legally probably and this also depends on the jurisdiction. Since >> an EV cert shows the jurisdiction, a user can draw conclusions from >>

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Jakob Bohm via dev-security-policy
On 29/08/2019 10:58, Nick Lamb wrote: > On Wed, 28 Aug 2019 11:51:37 -0700 (PDT) > Josef Schneider via dev-security-policy > wrote: > >> Not legally probably and this also depends on the jurisdiction. Since >> an EV cert shows the jurisdiction, a user can draw conclusions from >> that. > > Yes

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Nick Lamb via dev-security-policy
On Wed, 28 Aug 2019 11:51:37 -0700 (PDT) Josef Schneider via dev-security-policy wrote: > Not legally probably and this also depends on the jurisdiction. Since > an EV cert shows the jurisdiction, a user can draw conclusions from > that. Yes it is true that crimes are illegal. This has not

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-28 Thread Matt Palmer via dev-security-policy
On Wed, Aug 28, 2019 at 11:51:37AM -0700, Josef Schneider via dev-security-policy wrote: > Am Dienstag, 27. August 2019 00:48:38 UTC+2 schrieb Matt Palmer: > > On Mon, Aug 26, 2019 at 05:39:14AM -0700, Josef Schneider via > > dev-security-policy wrote: > > > Sure I can register a company and get

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-28 Thread Ryan Sleevi via dev-security-policy
(Posting in a personal capacity) On Wed, Aug 28, 2019 at 7:01 PM Kirk Hall via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Most of the comments against EV certificates on this list have been > focused on whether or not the current Firefox EV UI is relied on by Firefox >

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-28 Thread Kirk Hall via dev-security-policy
Most of the comments against EV certificates on this list have been focused on whether or not the current Firefox EV UI is relied on by Firefox users to make security decisions. (Actually, I have only seen a Google paper on this issue in Chrome, no research from Firefox.) But there is an

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-28 Thread Josef Schneider via dev-security-policy
Am Dienstag, 27. August 2019 00:48:38 UTC+2 schrieb Matt Palmer: > On Mon, Aug 26, 2019 at 05:39:14AM -0700, Josef Schneider via > dev-security-policy wrote: > > Sure I can register a company and get an EV certificate for that company. > > But can I do this completely anonymous like getting a DV

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-27 Thread Leo Grove via dev-security-policy
> > There are also opportunities for browsers here. I have to admit I > primarily use Google Chrome, rather than Firefox, so my observations may be > a little tainted, but I see various places where signals far more valuable > than the green lock could be implemented. Consider that most

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-27 Thread James Burton via dev-security-policy
Resend again to fix spelling errors and add extra details The correct way to vet a UK company would be to: 1. The CA checks Companies House to check if the company is incorporated. 2. The CA sends a letter with verification code to the company address listed on Companies House. 3. The CA requests

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-27 Thread James Burton via dev-security-policy
Companies House ( http://resources.companieshouse.gov.uk/serviceInformation.shtml#compInfo) says "We carry out basic checks on documents received to make sure that they have been fully completed and signed, but we do not have the statutory power or capability to verify the accuracy of the

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-27 Thread Jakob Bohm via dev-security-policy
On 27/08/2019 08:03, Peter Gutmann wrote: > Jakob Bohm via dev-security-policy > writes: > >> and >> both took advantage of weaknesses in two >> government registries > > They weren't "weaknesses in government

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-27 Thread Cynthia Revström via dev-security-policy
> > Because no actual proof that DV versus EV makes no difference in the > current (not ancient or anecdotal) situation has been posted. > > To me that sounds like you are suggesting that we prove that nothing happened, which is pretty much impossible. Why don't you or the CAs offering EV prove

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-27 Thread Peter Gutmann via dev-security-policy
Jakob Bohm via dev-security-policy writes: > and > both took advantage of weaknesses in two >government registries They weren't "weaknesses in government registries", they were registries working as designed, and as

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-26 Thread Jonathan Rudenberg via dev-security-policy
On Mon, Aug 26, 2019, at 20:44, Jakob Bohm via dev-security-policy wrote: > On 26/08/2019 21:49, Jonathan Rudenberg wrote: > > On Mon, Aug 26, 2019, at 15:01, Jakob Bohm via dev-security-policy wrote: > >> and > >> both

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-26 Thread Jakob Bohm via dev-security-policy
On 26/08/2019 21:49, Jonathan Rudenberg wrote: > On Mon, Aug 26, 2019, at 15:01, Jakob Bohm via dev-security-policy wrote: >> and >> both took advantage of weaknesses in two >> government registries to create actual dummy

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-26 Thread James Burton via dev-security-policy
Jakob, Before I touch on your comments, I wanted to point out that I am fairly well known in the CA industry even back then and that fact might have tainted the results sightly because I am treated some what differently to other orders as the validation staff look more carefully at the

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-26 Thread Matt Palmer via dev-security-policy
On Mon, Aug 26, 2019 at 05:39:14AM -0700, Josef Schneider via dev-security-policy wrote: > Sure I can register a company and get an EV certificate for that company. > But can I do this completely anonymous like getting a DV cert? Yes. > Nobody is arguing that EV certificates are perfect and

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-26 Thread Jonathan Rudenberg via dev-security-policy
On Mon, Aug 26, 2019, at 15:01, Jakob Bohm via dev-security-policy wrote: > and > both took advantage of weaknesses in two > government registries to create actual dummy companies with misleading > names, then trying to get

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-26 Thread Jakob Bohm via dev-security-policy
On 24/08/2019 05:55, Tom Ritter wrote: On Fri, 23 Aug 2019 at 22:53, Daniel Marschall via dev-security-policy wrote: Am Freitag, 23. August 2019 00:50:35 UTC+2 schrieb Ronald Crane: On 8/22/2019 1:43 PM, kirkhalloregon--- via dev-security-policy wrote: Whatever the merits of EV (and perhaps

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-26 Thread Ronald Crane via dev-security-policy
On 8/26/2019 5:39 AM, Josef Schneider via dev-security-policy wrote: Am Sonntag, 18. August 2019 20:05:42 UTC+2 schrieb Ronald Crane: On 8/18/2019 12:39 AM, Leo Grove via dev-security-policy wrote: Deploying a Stripe Inc EV SSL from a state other than CA is one thing, but using an EV SSL in

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-26 Thread Wayne Thayer via dev-security-policy
On Mon, Aug 26, 2019 at 5:39 AM Josef Schneider via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Am Sonntag, 18. August 2019 20:05:42 UTC+2 schrieb Ronald Crane: > > On 8/18/2019 12:39 AM, Leo Grove via dev-security-policy wrote: > > > Deploying a Stripe Inc EV SSL from a

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-26 Thread Josef Schneider via dev-security-policy
Am Sonntag, 18. August 2019 20:05:42 UTC+2 schrieb Ronald Crane: > On 8/18/2019 12:39 AM, Leo Grove via dev-security-policy wrote: > > Deploying a Stripe Inc EV SSL from a state other than CA is one thing, but > > using an EV SSL in conjunction with a domain name and website with the true > >

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-24 Thread Jernej Simončič via dev-security-policy
On Fri, 23 Aug 2019 15:53:21 -0700 (PDT), Daniel Marschall wrote: > Can you proove that your assumption "very few phishing sites use EV (only) > because DV is sufficient" is correct? I do think the truth is "very few > phishing sites use EV, because EV is hard to get". Before browsers started

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-23 Thread Tom Ritter via dev-security-policy
On Fri, 23 Aug 2019 at 22:53, Daniel Marschall via dev-security-policy wrote: > > Am Freitag, 23. August 2019 00:50:35 UTC+2 schrieb Ronald Crane: > > On 8/22/2019 1:43 PM, kirkhalloregon--- via dev-security-policy wrote: > > > > Whatever the merits of EV (and perhaps there are some -- I'm not >

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-23 Thread Peter Bowen via dev-security-policy
On Thu, Aug 22, 2019 at 1:44 PM kirkhalloregon--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Some have responded there is no research saying EV sites have > significantly less phishing (and are therefore safer) than DV sites – Tim > has listed two studies that say

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-23 Thread Ronald Crane via dev-security-policy
On 8/23/2019 3:53 PM, Daniel Marschall via dev-security-policy wrote: Am Freitag, 23. August 2019 00:50:35 UTC+2 schrieb Ronald Crane: On 8/22/2019 1:43 PM, kirkhalloregon--- via dev-security-policy wrote: Whatever the merits of EV (and perhaps there are some -- I'm not convinced either way)

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-23 Thread Daniel Marschall via dev-security-policy
Am Freitag, 23. August 2019 00:50:35 UTC+2 schrieb Ronald Crane: > On 8/22/2019 1:43 PM, kirkhalloregon--- via dev-security-policy wrote: > > Whatever the merits of EV (and perhaps there are some -- I'm not > convinced either way) this data is negligible evidence of them. A DV > cert is

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-23 Thread sslcorp.team--- via dev-security-policy
> > Correlation does not imply causation. > > There are studies that show phishing sites tend not to be EV - yes. > That's a correlation. > > If we studied phishing sites and domain name registration fees I'm > sure we'd find a correlation there too - I'd bet the .cfd TLD (which > apparently

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-23 Thread Ronald Crane via dev-security-policy
On 8/23/2019 6:41 AM, Tom Ritter via dev-security-policy wrote: On Fri, 23 Aug 2019 at 05:00, Leo Grove via dev-security-policy wrote: On Thursday, August 22, 2019 at 5:50:35 PM UTC-5, Ronald Crane wrote: On 8/22/2019 1:43 PM, kirkhalloregon--- via dev-security-policy wrote: I can tell you

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-23 Thread Tom Ritter via dev-security-policy
On Fri, 23 Aug 2019 at 05:00, Leo Grove via dev-security-policy wrote: > > On Thursday, August 22, 2019 at 5:50:35 PM UTC-5, Ronald Crane wrote: > > On 8/22/2019 1:43 PM, kirkhalloregon--- via dev-security-policy wrote: > > > I can tell you that anti-phishing services and browser phishing filters

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-22 Thread Leo Grove via dev-security-policy
On Thursday, August 22, 2019 at 5:50:35 PM UTC-5, Ronald Crane wrote: > On 8/22/2019 1:43 PM, kirkhalloregon--- via dev-security-policy wrote: > > I can tell you that anti-phishing services and browser phishing filters > > have also have concluded that EV sites are very unlikely to be phishing >

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-22 Thread Ronald Crane via dev-security-policy
On 8/22/2019 1:43 PM, kirkhalloregon--- via dev-security-policy wrote: I can tell you that anti-phishing services and browser phishing filters have also have concluded that EV sites are very unlikely to be phishing sites and so are safer for users. Whatever the merits of EV (and perhaps

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-22 Thread kirkhalloregon--- via dev-security-policy
ps://lh5.googleusercontent.com/kL-WUskmTnKh4vepfU3cSID_ooTXNo9BvBOmIGR1RPvAN7PGkuPFLsSMdN0VOqsVb3sAjTsszn_3LjRf4Q8eoHtkrNWWmmxOo3jBRoEJV--XJndcXiCeTTAmE4MuEfGy8RdY_h5u > > - Wayne > > -- Forwarded message - > From: Johann Hofmann > Date: Mon, Aug 12, 2019 at 1:05 AM > Subject: Intent to Ship: Move Extended Validation In

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-21 Thread Tadahiko Ito via dev-security-policy
(From my personal point of view) I read Google’s paper[1]. For me, that paper’s result could be hypothesized like “some people do care about some information, which is written in EV but not in DV”. That is… (A) If you click EV indicator, you will able to get more information about identity

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-19 Thread scott.helme--- via dev-security-policy
> > What evidence or research shows that the new location is providing better > protection for the end users? What evidence or research shows that any location provides any protection for the end users? ___ dev-security-policy mailing list

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-18 Thread Matt Palmer via dev-security-policy
On Sun, Aug 18, 2019 at 09:14:52AM +0200, Paul van Brouwershaven wrote: > On Sun, 18 Aug 2019, 07:18 Matt Palmer via dev-security-policy, < > dev-security-policy@lists.mozilla.org> wrote: > > On Thu, Aug 15, 2019 at 05:58:56PM +, Doug Beattie via > > dev-security-policy wrote: > > > Shouldn’t

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-18 Thread Peter Gutmann via dev-security-policy
Daniel Marschall via dev-security-policy writes: >I just looked at Opera and noticed that they don't have any UI difference at >all, which means I have to open the X.509 certificate to see if it is EV or >not. Does anyone know when Opera made the change? They had EV UI at one point, and then

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-18 Thread Matt Palmer via dev-security-policy
On Sun, Aug 18, 2019 at 01:35:55PM -0700, Daniel Marschall via dev-security-policy wrote: > Am Sonntag, 18. August 2019 07:18:56 UTC+2 schrieb Matt Palmer: > > [...] From what I can see so far, > > browser vendors aren't "ending" EV certificates, a couple of them are merely > > modifying their

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-18 Thread Daniel Marschall via dev-security-policy
Am Sonntag, 18. August 2019 07:18:56 UTC+2 schrieb Matt Palmer: > > [...] From what I can see so far, > browser vendors aren't "ending" EV certificates, a couple of them are merely > modifying their UIs guided by relevant research into the efficacy (or lack > thereof) of the current UI. > > -

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-18 Thread Ronald Crane via dev-security-policy
On 8/18/2019 12:39 AM, Leo Grove via dev-security-policy wrote: Deploying a Stripe Inc EV SSL from a state other than CA is one thing, but using an EV SSL in conjunction with a domain name and website with the true intent to dupe potential customers is another matter. I'm trying to get past

  1   2   >