Re: Website owner survey data on identity, browser UIs, and the EV UI

2019-10-09 Thread Paul Walsh via dev-security-policy
> On Oct 9, 2019, at 4:21 PM, Ronald Crane via dev-security-policy > wrote: > > On 10/9/2019 3:17 PM, Paul Walsh wrote: >>> On Oct 9, 2019, at 3:06 PM, Ronald Crane via dev-security-policy >>> wrote: >>> >>> On 10/9/2019 2:24 PM, Paul Walsh via dev-security-policy wrote: >>> it

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-10-09 Thread Ryan Sleevi via dev-security-policy
On Wed, Oct 9, 2019 at 7:17 PM Paul Walsh wrote: > We can all agree that almost no user knows the difference between a site > with a DV cert and a site with an EV cert. I personally came to that > conclusion years ago. I wanted data, so I asked more than 3,000 people. > Almost everyone assumed

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-10-09 Thread Ryan Sleevi via dev-security-policy
On Wed, Oct 9, 2019 at 6:06 PM Paul Walsh via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I believe an alternative icon to the encryption lock would make a massive > difference to combating the security threats that involve dangerous links > and websites. I provided data

Re: Website owner survey data on identity, browser UIs, and the EV UI

2019-10-09 Thread Ronald Crane via dev-security-policy
On 10/9/2019 3:17 PM, Paul Walsh wrote: On Oct 9, 2019, at 3:06 PM, Ronald Crane via dev-security-policy wrote: On 10/9/2019 2:24 PM, Paul Walsh via dev-security-policy wrote: it indefinitely. [PW] Here’s the kink Ronald. I agree with you. Mozilla’s decision to implement DoH is going to

Re: [FORGED] Re: Website owner survey data on identity, browser UIs, and the EV UI

2019-10-09 Thread Peter Gutmann via dev-security-policy
Paul Walsh via dev-security-policy writes: >The data suggests that automatically issued DV certs for free is a favorite >for criminals. True, but that one's just an instance of Sutton's Law, they go for those because they're the least effort. I was at a talk yesterday by a pen-tester who

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-10-09 Thread Paul Walsh via dev-security-policy
> On Oct 9, 2019, at 3:23 PM, Ryan Sleevi wrote: > > > > On Wed, Oct 9, 2019 at 6:06 PM Paul Walsh via dev-security-policy > > wrote: > I believe an alternative icon to the encryption lock would make a massive > difference to combating the

Re: Website owner survey data on identity, browser UIs, and the EV UI

2019-10-09 Thread Paul Walsh via dev-security-policy
> On Oct 9, 2019, at 3:06 PM, Ronald Crane via dev-security-policy > wrote: > > On 10/9/2019 2:24 PM, Paul Walsh via dev-security-policy wrote: >>> On Oct 9, 2019, at 1:07 PM, Ronald Crane via dev-security-policy >>> wrote: >>> >>> On 10/8/2019 7:16 PM, Paul Walsh via dev-security-policy

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-10-09 Thread Paul Walsh via dev-security-policy
> On Oct 9, 2019, at 2:04 PM, Eric Mill wrote: > > (apologies to anyone who gets this twice, my first email got sent to some > spam folders, so I took out the example domain I used) > > Hi Paul, > > Those statements are both hyperbolic representations of others' points of > view. [PW]

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-10-09 Thread Paul Walsh via dev-security-policy
I’m sorry for the follow up message - I know we all get too many notifications already. But I forgot to add that I was the founder and CEO of Segala - the company referenced on the W3C website that I referred to below. Sorry about that. Paul > On Oct 9, 2019, at 4:17 PM, Paul Walsh wrote:

Re: Website owner survey data on identity, browser UIs, and the EV UI

2019-10-09 Thread Ronald Crane via dev-security-policy
On 10/9/2019 2:24 PM, Paul Walsh via dev-security-policy wrote: On Oct 9, 2019, at 1:07 PM, Ronald Crane via dev-security-policy wrote: On 10/8/2019 7:16 PM, Paul Walsh via dev-security-policy wrote: [PW] Ronald, I don’t believe better detection and prevention is the answer for

Re: Audit Letter Validation (ALV) on intermediate certs in CCADB

2019-10-09 Thread Kathleen Wilson via dev-security-policy
All, I would like to remind everyone about when these requirements for non-technically-constrained intermediate certificates came into effect for CAs in Mozilla’s program according to previous versions of Mozilla’s Root Store Policy[1] and previous CA Communications[2]. February 2013:

Re: [FORGED] Re: Website owner survey data on identity, browser UIs, and the EV UI

2019-10-09 Thread Paul Walsh via dev-security-policy
> On Oct 9, 2019, at 4:19 PM, Peter Gutmann wrote: > > Paul Walsh via dev-security-policy > writes: > >> The data suggests that automatically issued DV certs for free is a favorite >> for criminals. > > True, but that one's just an instance of Sutton's Law, they go for those > because

Re: Website owner survey data on identity, browser UIs, and the EV UI

2019-10-09 Thread Leo Grove via dev-security-policy
On Tuesday, October 8, 2019 at 10:36:19 PM UTC-5, Matt Palmer wrote: > On Tue, Oct 08, 2019 at 07:16:59PM -0700, Paul Walsh via dev-security-policy > wrote: > > Why isn’t anyone’s head blowing up over the Let’s Encrypt stats? > > Because those stats don't show anything worth blowing up ones head

Re: Website owner survey data on identity, browser UIs, and the EV UI

2019-10-09 Thread Paul Walsh via dev-security-policy
> On Oct 9, 2019, at 10:42 AM, Ronald Crane via dev-security-policy > wrote: > > On 10/2/2019 3:50 PM, Paul Walsh via dev-security-policy wrote: > > [snip] sɑlesforce[.com] is available for purchase right now. >>> I was going to suggest banning non-Latin-glyph domains, since they are yet

Re: Website owner survey data on identity, browser UIs, and the EV UI

2019-10-09 Thread Paul Walsh via dev-security-policy
On Oct 9, 2019, at 7:30 AM, Leo Grove via dev-security-policy wrote: > > On Tuesday, October 8, 2019 at 10:36:19 PM UTC-5, Matt Palmer wrote: >> On Tue, Oct 08, 2019 at 07:16:59PM -0700, Paul Walsh via dev-security-policy >> wrote: >>> Why isn’t anyone’s head blowing up over the Let’s Encrypt

Re: Website owner survey data on identity, browser UIs, and the EV UI

2019-10-09 Thread Ronald Crane via dev-security-policy
On 10/2/2019 3:50 PM, Paul Walsh via dev-security-policy wrote: [snip] sɑlesforce[.com] is available for purchase right now. I was going to suggest banning non-Latin-glyph domains, since they are yet another useful phishing weapon. FF converts all such domains into Punycode when typed or

Re: Website owner survey data on identity, browser UIs, and the EV UI

2019-10-09 Thread Ronald Crane via dev-security-policy
On 10/8/2019 7:04 PM, Paul Walsh via dev-security-policy wrote: On Oct 2, 2019, at 3:41 PM, Ronald Crane via dev-security-policy wrote: On 10/2/2019 3:00 PM, Paul Walsh via dev-security-policy wrote: On Oct 2, 2019, at 2:52 PM, Ronald Crane via dev-security-policy wrote: [snip] Some

Re: Website owner survey data on identity, browser UIs, and the EV UI

2019-10-09 Thread Ronald Crane via dev-security-policy
On 10/8/2019 7:16 PM, Paul Walsh via dev-security-policy wrote: [PW] Ronald, I don’t believe better detection and prevention is the answer for anti-phishing - but not trying isn’t an option, obviously. With billions of dollars being invested in this area, and with hundreds of millions changing

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-10-09 Thread Eric Mill via dev-security-policy
Hi Paul, Those statements are both hyperbolic representations of others' points of view. There are plenty of people who are skeptical about the effectiveness of EV and its associated UI who nonetheless believe that some sense of trustworthiness about websites is important. For example, Mozilla

Re: Website owner survey data on identity, browser UIs, and the EV UI

2019-10-09 Thread Ronald Crane via dev-security-policy
On 10/9/2019 11:02 AM, Paul Walsh via dev-security-policy wrote: On Oct 9, 2019, at 10:42 AM, Ronald Crane via dev-security-policy wrote: On 10/2/2019 3:50 PM, Paul Walsh via dev-security-policy wrote: [snip] sɑlesforce[.com] is available for purchase right now. I was going to suggest

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-10-09 Thread Eric Mill via dev-security-policy
(apologies to anyone who gets this twice, my first email got sent to some spam folders, so I took out the example domain I used) Hi Paul, Those statements are both hyperbolic representations of others' points of view. There are plenty of people who are skeptical about the effectiveness of EV

Re: Website owner survey data on identity, browser UIs, and the EV UI

2019-10-09 Thread Paul Walsh via dev-security-policy
> On Oct 9, 2019, at 12:39 PM, Ronald Crane via dev-security-policy > wrote: > > On 10/8/2019 7:04 PM, Paul Walsh via dev-security-policy wrote: >>> On Oct 2, 2019, at 3:41 PM, Ronald Crane via dev-security-policy >>> wrote: >>> >>> On 10/2/2019 3:00 PM, Paul Walsh via dev-security-policy

Re: Website owner survey data on identity, browser UIs, and the EV UI

2019-10-09 Thread Paul Walsh via dev-security-policy
> On Oct 9, 2019, at 1:07 PM, Ronald Crane via dev-security-policy > wrote: > > On 10/8/2019 7:16 PM, Paul Walsh via dev-security-policy wrote: >> [PW] Ronald, I don’t believe better detection and prevention is the answer >> for anti-phishing - but not trying isn’t an option, obviously. With