RE: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Zu via dev-security-policy
Good afternoon all, I would like to chime in with my two cents, if allowed: 1. Users do not notice the absence of a positive indicator. There is ample evidence, academic and otherwise. If users did notice the absence of a positive indicator, it follows that phishing without an EV certificate

RE: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Doug Beattie via dev-security-policy
From: Ben Laurie Sent: Friday, August 16, 2019 9:33 AM To: Doug Beattie Cc: Jonathan Rudenberg ; Peter Gutmann ; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar On Fri, 16 Aug 2019 at 14:31, Doug

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Ben Laurie via dev-security-policy
On Fri, 16 Aug 2019 at 14:31, Doug Beattie via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > DB: Yes, that's true. I was saying that phishing sites don't use EV, not > that EV sites don't get phished Surely this shows that EV is not needed to make phishing work, not that

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Jonathan Rudenberg via dev-security-policy
On Fri, Aug 16, 2019, at 07:56, Doug Beattie via dev-security-policy wrote: > Peter, > > I'm not claiming that EV reduces phishing globally, just for those sites > that use them. Do you have a chart that breaks down phishing attacks by SSL > certificate type? > > Here is some research that

RE: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Doug Beattie via dev-security-policy
From: Jonathan Rudenberg Sent: Friday, August 16, 2019 9:04 AM To: Doug Beattie ; Peter Gutmann ; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar On Fri, Aug 16, 2019, at 07:56, Doug Beattie via

RE: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Doug Beattie via dev-security-policy
Peter, I'm not claiming that EV reduces phishing globally, just for those sites that use them. Do you have a chart that breaks down phishing attacks by SSL certificate type? Here is some research that indicates EV sites have a reduced phishing percentage, so customers accessing EV protected

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Nick Lamb via dev-security-policy
On Fri, 16 Aug 2019 13:31:08 + Doug Beattie via dev-security-policy wrote: > DB: One of the reasons that phishers don't get EV certificates is > because the vetting process requires several interactions and > corporate repositories which end up revealing more about their > identity. This

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Leo Grove via dev-security-policy
> > See also the screenshot I posted earlier.  That was from a black-market web > site selling EV certificates to anyone with the stolen credit cards to pay for > them.  These are legit EV certs issued to legit companies, available off the > shelf for criminals to use.  For a little extra payment

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread tegeran--- via dev-security-policy
On Thursday, August 15, 2019 at 10:59:32 AM UTC-7, Doug Beattie wrote: > Yes, I work for a CA that issues EV certificates, but if there was no value > in them, then our customers would certainly not be paying extra for them. > Shouldn’t the large enterprises that see a value in identity (as

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Paul van Brouwershaven via dev-security-policy
Thanks Tim, well written and I completely agree! In this thread Issues have been raised about that EV validation is not perfect and that criminals can obtain an EV certificate (if they reveal their identity). I also agree that the validation can be improved, but as Tim stated, that doesn't mean

Re: Request to Include 4 Microsoft Root CAs

2019-08-16 Thread Jason via dev-security-policy
Hi All, This is Jason from the Microsoft PKI Services team. I’d like to add some context to the note about the certs issued from the Microsoft RSA Root Certificate Authority 2017. As you can see, these were all issued to a domain registered to Microsoft. While these clearly violate the Subject

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread tim--- via dev-security-policy
My apologies for not weighing in earlier, but like many others I was surprised by this announcement and had to make time to craft this message around other pressing demands. The original announcement above that the EV UI would be removed in October cited authorities and articles that were in

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Peter Gutmann via dev-security-policy
Leo Grove via dev-security-policy writes: >Are you referring to EV Code Signing certificates? I agree that needs to be >addressed in another forum, but this discussion in on EV SSL/TLS and their >value (or lack thereof) in the browser UI. Browsers do not support EV Code >Signing in the UI as

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Matthew Hardeman via dev-security-policy
Honestly the issues, as I see them, are twofold: 1. When I visit a site for the first time, how do I know I should expect an EV certificate? I am conscientious about subsequent visits, especially financial industry sites. 2. The browsers seem to have a bias toward the average user, that user

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Peter Gutmann via dev-security-policy
Doug Beattie writes: >One of the reasons that phishers don’t get EV certificates is because the >vetting process requires several interactions and corporate repositories >which end up revealing more about their identity. This leaves a trail back >to the individual that set up the fake site

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Peter Gutmann via dev-security-policy
Corey Bonnell via dev-security-policy writes: >the effectiveness of the EV UI treatment is predicated on whether or not the >user can memorize which websites always use EV certificates *and* no longer >proceed with using the website if the EV treatment isn't shown. That's a huge >cognitive

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Leo Grove via dev-security-policy
I don't know about other CAs, but at SSL.com we issue a very limited number of EV SSL certificates in comparison to other certificates so it's not a big revenue driver. However, as a user I support EV SSL. I personally have never come across a scam site that displayed an EV SSL (I'm not saying

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Jakob Bohm via dev-security-policy
On 17/08/2019 03:15, Peter Gutmann wrote: Corey Bonnell via dev-security-policy writes: the effectiveness of the EV UI treatment is predicated on whether or not the user can memorize which websites always use EV certificates *and* no longer proceed with using the website if the EV treatment

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Peter Gutmann via dev-security-policy
Jakob Bohm via dev-security-policy writes: >Your legendary dislike for all things X.509 is showing. My dislike for persisting mindlessly with stuff we already know doesn't work is showing (see in particular the quote typically misattributed to Einstein about the definition of insanity), and

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Kurt Roeckx via dev-security-policy
On Fri, Aug 16, 2019 at 12:42:35PM -0700, tim--- via dev-security-policy wrote: > > By way of background, until recently almost all phishing and malware was on > unencrypted http sites. They received a neutral UI, and the bad guys didn’t > have to spend time and money getting a certificate,

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Daniel Marschall via dev-security-policy
I have a few more comments/annotations: (1) Pro EV persons argue "Criminals have problems getting an EV certificate, so most of them are using only DV certificates". Anti EV persons argue "Criminals just don't use EV certificates, because they know that end users don't look at the EV indicator

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread James Burton via dev-security-policy
If one compares the first EV specification with the current EV specification one will notice that the EV specification hasn't changed that much during its lifetime. The issues presented during the last years though research have been known about since the first adoption of the EV specification. If