Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-30 Thread Kirk Hall via dev-security-policy
On Thursday, August 29, 2019 at 6:15:44 PM UTC-7, Ryan Sleevi wrote: > On Thu, Aug 29, 2019 at 8:54 PM Kirk Hall via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > What the heck does it mean when sometimes you say you are posting "

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-30 Thread Kirk Hall via dev-security-policy
> OK, I'll try one last time to see if you are willing to share Google > information that you have with this group on the question at hand (Do browser > phishing filters and anti-virus apps use EV data in their anti-phishing > algorithms). > > This is super easy, and doesn't even require

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-30 Thread Kirk Hall via dev-security-policy
On Friday, August 30, 2019 at 11:38:55 AM UTC-7, Peter Bowen wrote: > On Fri, Aug 30, 2019 at 10:22 AM Kirk Hall via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > I'll just reiterate my point and then drop the subject. EV certificate > >

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-09-03 Thread Kirk Hall via dev-security-policy
Last week I posted reasons why Mozilla shouldn’t remove the EV UI from Firefox. In addition to the discussion on how the EV UI can inform users when a website does or does not have confirmed identity before they choose to type in their password or credit card number (after a little user

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Kirk Hall via dev-security-policy
This string is about Mozilla’s announced plan to remove the EV UI from Firefox in October. Over time, this will tend to eliminate confirmed identity information about websites from the security ecosystem, as EV website owners may decide it’s not worth using a n EV certificate if browsers

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Kirk Hall via dev-security-policy
On Thursday, August 29, 2019 at 3:10:49 PM UTC-7, Ryan Sleevi wrote: > On Thu, Aug 29, 2019 at 5:18 PM Kirk Hall via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > > In this case, the use of EV certificates, and the presumption of >

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Kirk Hall via dev-security-policy
On Thursday, August 29, 2019 at 12:17:22 PM UTC-7, Ryan Sleevi wrote: > On Thu, Aug 29, 2019 at 2:49 PM Kirk Hall via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > Sure, I’m happy to explain, using Bank of America as an example. >

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Kirk Hall via dev-security-policy
On Thursday, August 29, 2019 at 11:01:27 AM UTC-7, Jonathan Rudenberg wrote: > On Thu, Aug 29, 2019, at 13:39, Kirk Hall via dev-security-policy wrote: > > This string is about Mozilla’s announced plan to remove the EV UI from > > Firefox in October. Over time, this will te

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Kirk Hall via dev-security-policy
On Thursday, August 29, 2019 at 5:07:03 PM UTC-7, Ryan Sleevi wrote: > On Thu, Aug 29, 2019 at 6:26 PM Kirk Hall via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > > Could you point to the browsing phishing filters and anti-phishing &g

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Kirk Hall via dev-security-policy
On Thursday, August 29, 2019 at 5:28:29 PM UTC-7, Ryan Sleevi wrote: > On Thu, Aug 29, 2019 at 8:23 PM Kirk Hall via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > On Thursday, August 29, 2019 at 5:07:03 PM UTC-7, Ryan Sleevi wrote: > > >

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-28 Thread Kirk Hall via dev-security-policy
Most of the comments against EV certificates on this list have been focused on whether or not the current Firefox EV UI is relied on by Firefox users to make security decisions. (Actually, I have only seen a Google paper on this issue in Chrome, no research from Firefox.) But there is an

Re: An honest viewpoint: Move Extended Validation Information out of the URL bar

2019-09-07 Thread Kirk Hall via dev-security-policy
On Friday, September 6, 2019 at 4:17:44 PM UTC-7, Oliver wrote: > On Friday, September 6, 2019 at 11:44:30 AM UTC-7, browser...@gmail.com wrote: > > > Thanks for the update Jonathan, the article I read didn't mention the > > funding source, but the article wasn't the point of my post. > > > >

Re: An honest viewpoint: Move Extended Validation Information out of the URL bar

2019-09-07 Thread Kirk Hall via dev-security-policy
Here is another comment from a major anti-phishing service – PhishLabs - about the value of EV certificates in detecting malicious websites. Its CTO, John LaCour, is willing to go on the record, and he concludes with this statement: “So should web browsers provide a visual indicator to users

Website owner survey data on identity, browser UIs, and the EV UI

2019-09-21 Thread Kirk Hall via dev-security-policy
The Mozilla community seeks broad input before important security decisions like changing the Firefox UI, but it almost never receives any input from one important group – website owners themselves. To remedy this, Entrust Datacard surveyed all of its TLS/SSL web server certificate customers

Re: Website owner survey data on identity, browser UIs, and the EV UI

2019-09-21 Thread Kirk Hall via dev-security-policy
On Saturday, September 21, 2019 at 6:19:29 PM UTC-7, Ryan Sleevi wrote: > On Sat, Sep 21, 2019 at 7:52 PM Kirk Hall via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > To remedy this, Entrust Datacard surveyed all of its TLS/SSL web server >

Updated website owner survey data on identity, browser UIs, and the EV UI

2019-10-02 Thread Kirk Hall via dev-security-policy
On September 21, I sent a message to the Mozilla community with the results of a survey of all of Entrust Datacard’s customers (both those who use EV certificates, and those who don’t) concerning what they think about website identity in browsers, browser UIs in general, and EV browser UIs in

Germany's cyber-security agency [BSI] recommends Firefox as most secure browser

2019-10-17 Thread Kirk Hall via dev-security-policy
Congratulations to Mozilla and its Firefox team! Here is a ZDNet article [1] from today: “Germany's cyber-security agency [BSI] recommends Firefox as most secure browser” “Germany's BSI tested Firefox, Chrome, IE, and Edge. Firefox was only browser to pass all minimum requirements for

Re: Firefox removes UI for site identity

2019-10-22 Thread Kirk Hall via dev-security-policy
I also have a question for Mozilla on the removal of the EV UI. This issue started with a posting by Mozilla on August 12, but despite 237 subsequent postings from many members of the Mozilla community, I don't think Mozilla staff ever responded to anything or anyone - not to explain or