Re: Website owner survey data on identity, browser UIs, and the EV UI

2019-10-01 Thread Paul Walsh via dev-security-policy
On Saturday, September 21, 2019 at 6:19:29 PM UTC-7, Ryan Sleevi wrote: > On Sat, Sep 21, 2019 at 7:52 PM Kirk Hall via dev-security-policy < > dev-security-policy@lists.mozilla.org > > wrote: > >> To remedy this, Entrust Datacard surveyed all of

Re: Website owner survey data on identity, browser UIs, and the EV UI

2019-10-01 Thread Paul Walsh via dev-security-policy
On Sunday, September 22, 2019 at 7:49:14 AM UTC-7, Gijs Kruitbosch wrote: [snip] > On 22/09/2019 00:52, Kirk Hall wrote: > > (1) *97%* of respondents agreed or strongly agreed with the statement: > > "Customers / users have the right to know which organization is running a > > website if the

Re: Website owner survey data on identity, browser UIs, and the EV UI

2019-10-02 Thread Paul Walsh via dev-security-policy
On Oct 2, 2019, at 1:16 PM, Ronald Crane via dev-security-policy wrote: > > On 10/1/2019 6:56 PM, Paul Walsh via dev-security-policy wrote: >> New tools such as Modlishka now automate phishing attacks, making it >> virtually impossible for any browser or security

Re: Website owner survey data on identity, browser UIs, and the EV UI

2019-10-02 Thread Paul Walsh via dev-security-policy
> On Oct 2, 2019, at 3:20 PM, Kurt Roeckx wrote: > > On Wed, Oct 02, 2019 at 03:17:31PM -0700, Paul Walsh wrote: In separate research, CAs have shown data to demonstrate that website owners want to have their identity verified. >>> >>> They have not. In fact, I would say that most

Re: Website owner survey data on identity, browser UIs, and the EV UI

2019-10-02 Thread Paul Walsh via dev-security-policy
On Oct 2, 2019, at 12:52 AM, Kurt Roeckx via dev-security-policy wrote: > > On 2019-10-02 09:20, Kurt Roeckx wrote: >> On 2019-10-02 02:39, Paul Walsh wrote: >>> >>> According to Ellis, the goal for a customer survey is to get feedback from >>> people who had recently experienced "real usage"

Re: Website owner survey data on identity, browser UIs, and the EV UI

2019-10-02 Thread Paul Walsh via dev-security-policy
On Oct 2, 2019, at 2:52 PM, Ronald Crane via dev-security-policy wrote: > > On 10/2/2019 1:16 PM, Ronald Crane via dev-security-policy wrote: >> On 10/1/2019 6:56 PM, Paul Walsh via dev-security-policy wrote: >>> New tools such as Modlishka now automate phi

Re: Website owner survey data on identity, browser UIs, and the EV UI

2019-10-02 Thread Paul Walsh via dev-security-policy
> On Oct 2, 2019, at 3:11 PM, Kurt Roeckx wrote: > > On Wed, Oct 02, 2019 at 02:48:56PM -0700, Paul Walsh wrote: >> On Oct 2, 2019, at 12:52 AM, Kurt Roeckx via dev-security-policy >> wrote: >>> >>> On 2019-10-02 09:20, Kurt Roeckx wrote: On 2019-10-02 02:39, Paul Walsh wrote: >

Re: Website owner survey data on identity, browser UIs, and the EV UI

2019-10-02 Thread Paul Walsh via dev-security-policy
> On Oct 2, 2019, at 3:18 PM, Ronald Crane via dev-security-policy > wrote: > > > On 10/2/2019 2:47 PM, Paul Walsh via dev-security-policy wrote: >> On Oct 2, 2019, at 1:16 PM, Ronald Crane via dev-security-policy >> wrote: >>> On 10/1/2019 6:56 PM, Paul

Re: [FORGED] Re: Website owner survey data on identity, browser UIs, and the EV UI

2019-10-02 Thread Paul Walsh via dev-security-policy
> On Oct 2, 2019, at 3:27 PM, Peter Gutmann via dev-security-policy > wrote: > > Ronald Crane via dev-security-policy > writes: > >> "Virtually impossible"? "Anyone"? Really? Those are big claims that need real >> data. > > How many references to research papers would you like? Would a

Re: Website owner survey data on identity, browser UIs, and the EV UI

2019-10-02 Thread Paul Walsh via dev-security-policy
> On Oct 2, 2019, at 3:41 PM, Ronald Crane via dev-security-policy > wrote: > > On 10/2/2019 3:00 PM, Paul Walsh via dev-security-policy wrote: >> On Oct 2, 2019, at 2:52 PM, Ronald Crane via dev-security-policy >> wrote: > [snip] >>> Some other cha

Re: Website owner survey data on identity, browser UIs, and the EV UI

2019-10-09 Thread Paul Walsh via dev-security-policy
> On Oct 9, 2019, at 4:21 PM, Ronald Crane via dev-security-policy > wrote: > > On 10/9/2019 3:17 PM, Paul Walsh wrote: >>> On Oct 9, 2019, at 3:06 PM, Ronald Crane via dev-security-policy >>> wrote: >>> >>> On 10/9/2019 2

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-10-09 Thread Paul Walsh via dev-security-policy
> On Oct 9, 2019, at 3:23 PM, Ryan Sleevi wrote: > > > > On Wed, Oct 9, 2019 at 6:06 PM Paul Walsh via dev-security-policy > <mailto:dev-security-policy@lists.mozilla.org>> wrote: > I believe an alternative icon to the encryption lock would make a mass

Re: Website owner survey data on identity, browser UIs, and the EV UI

2019-10-09 Thread Paul Walsh via dev-security-policy
> On Oct 9, 2019, at 3:06 PM, Ronald Crane via dev-security-policy > wrote: > > On 10/9/2019 2:24 PM, Paul Walsh via dev-security-policy wrote: >>> On Oct 9, 2019, at 1:07 PM, Ronald Crane via dev-security-policy >>> wrote: >>> >>> On 10/8/

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-10-09 Thread Paul Walsh via dev-security-policy
. To summarize, we agree that WebAuthn is brilliant. And on everything else, you fail to provide any insights or data to suggest why anything I’ve said is hyperbolic. There are many threads in which I have provided data, so it’s best to reply to those rather than a message that contains nothi

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-10-09 Thread Paul Walsh via dev-security-policy
ote: > > > >> On Oct 9, 2019, at 3:23 PM, Ryan Sleevi > <mailto:r...@sleevi.com>> wrote: >> >> >> >> On Wed, Oct 9, 2019 at 6:06 PM Paul Walsh via dev-security-policy >> > <mailto:dev-security-policy@lists.mozilla.org>> w

Re: [FORGED] Re: Website owner survey data on identity, browser UIs, and the EV UI

2019-10-09 Thread Paul Walsh via dev-security-policy
> On Oct 9, 2019, at 4:19 PM, Peter Gutmann wrote: > > Paul Walsh via dev-security-policy > writes: > >> The data suggests that automatically issued DV certs for free is a favorite >> for criminals. > > True, but that one's just an instance of Sutton's

Re: Mozilla Policy Requirements CA Incidents

2019-10-08 Thread Paul Walsh via dev-security-policy
Ryan, You just proved me right by saying I’m confused because I hold an opinion about how you conduct yourself when collaborating with industry stakeholders. My observations are the same across the board. I don’t think I’m confused. But you’re welcome to disagree with me. And, it’s not

Re: Mozilla Policy Requirements CA Incidents

2019-10-08 Thread Paul Walsh via dev-security-policy
> On Oct 8, 2019, at 12:51 PM, Matthew Hardeman wrote: > > > On Tue, Oct 8, 2019 at 2:10 PM Ryan Sleevi via dev-security-policy > > wrote: > On Tue, Oct 8, 2019 at 2:44 PM Paul Walsh > wrote: > > so we need better

Re: Mozilla Policy Requirements CA Incidents

2019-10-08 Thread Paul Walsh via dev-security-policy
I read Jeremy’s last response before posting my comment. Dear Ryan, It would help a great deal, if you tone down your constant insults towards the entire CA world. Questioning whether you should trust any CA is a bridge too far. Instead, why don’t you try to focus on specific issues with

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-10-08 Thread Paul Walsh via dev-security-policy
> On Oct 8, 2019, at 4:19 AM, carsten.mueller.gl--- via dev-security-policy > wrote: > >> But the target audience for phishing are uninformed people. People which >> have no idea what a EV cert is. People who don't even blink if the English >> on the phishing page is worse than a 5-year old

Re: Mozilla Policy Requirements CA Incidents

2019-10-08 Thread Paul Walsh via dev-security-policy
> On Oct 8, 2019, at 12:44 PM, Ryan Sleevi wrote: > > Paul, [snip] > It does not seem you're interested in finding solutions for the issues, [PW] You are mixing things up Ryan. I am interested in finding solution to issues. I specifically kept my message on point, which was your tone and

Re: Updated website owner survey data on identity, browser UIs, and the EV UI

2019-10-08 Thread Paul Walsh via dev-security-policy
I finally got around to digesting the email below. Summary/Reminder: CA related data on website identity from the perspective of website owners. As Homer Simpson said, "70% of all reports are made up”. So, everything put forward by me in previous messages, or anyone else, must be taken with a

Re: [FORGED] Website owner survey data on identity, browser UIs, and the EV UI

2019-10-08 Thread Paul Walsh via dev-security-policy
> On Oct 2, 2019, at 3:52 PM, Peter Gutmann wrote: > > Paul Walsh ​ writes: > >> I would like to see one research paper published by one browser vendor to >> show that website identity visual indicators can not work. > > Uhhh... are you serious with that request? You're asking for a study

Re: Website owner survey data on identity, browser UIs, and the EV UI

2019-10-08 Thread Paul Walsh via dev-security-policy
> On Oct 2, 2019, at 1:16 PM, Ronald Crane via dev-security-policy > wrote: > > On 10/1/2019 6:56 PM, Paul Walsh via dev-security-policy wrote: >> New tools such as Modlishka now automate phishing attacks, making it >> virtually impossible for any browser or sec

Re: Website owner survey data on identity, browser UIs, and the EV UI

2019-10-08 Thread Paul Walsh via dev-security-policy
> On Oct 2, 2019, at 3:41 PM, Ronald Crane via dev-security-policy > wrote: > > On 10/2/2019 3:00 PM, Paul Walsh via dev-security-policy wrote: >> On Oct 2, 2019, at 2:52 PM, Ronald Crane via dev-security-policy >> wrote: > [snip] >>> Some other cha

Re: [FORGED] Website owner survey data on identity, browser UIs, and the EV UI

2019-10-08 Thread Paul Walsh via dev-security-policy
> On Oct 2, 2019, at 4:05 PM, Ronald Crane via dev-security-policy > wrote: > > On 10/2/2019 3:27 PM, Peter Gutmann wrote: >> Ronald Crane via dev-security-policy >> writes: >> >>> "Virtually impossible"? "Anyone"? Really? Those are big claims that need >>> real >>> data. >> How many

Re: Website owner survey data on identity, browser UIs, and the EV UI

2019-10-09 Thread Paul Walsh via dev-security-policy
> On Oct 9, 2019, at 10:42 AM, Ronald Crane via dev-security-policy > wrote: > > On 10/2/2019 3:50 PM, Paul Walsh via dev-security-policy wrote: > > [snip] >>>> sɑlesforce[.com] is available for purchase right now. >>> I was going to suggest banning non-

Re: Website owner survey data on identity, browser UIs, and the EV UI

2019-10-09 Thread Paul Walsh via dev-security-policy
On Oct 9, 2019, at 7:30 AM, Leo Grove via dev-security-policy wrote: > > On Tuesday, October 8, 2019 at 10:36:19 PM UTC-5, Matt Palmer wrote: >> On Tue, Oct 08, 2019 at 07:16:59PM -0700, Paul Walsh via dev-security-policy >> wrote: >>> Why isn’t anyone’s head blowin

Re: Website owner survey data on identity, browser UIs, and the EV UI

2019-10-09 Thread Paul Walsh via dev-security-policy
> On Oct 9, 2019, at 12:39 PM, Ronald Crane via dev-security-policy > wrote: > > On 10/8/2019 7:04 PM, Paul Walsh via dev-security-policy wrote: >>> On Oct 2, 2019, at 3:41 PM, Ronald Crane via dev-security-policy >>> wrote: >>> >>> On 10/2/

Re: Website owner survey data on identity, browser UIs, and the EV UI

2019-10-09 Thread Paul Walsh via dev-security-policy
> On Oct 9, 2019, at 1:07 PM, Ronald Crane via dev-security-policy > wrote: > > On 10/8/2019 7:16 PM, Paul Walsh via dev-security-policy wrote: >> [PW] Ronald, I don’t believe better detection and prevention is the answer >> for anti-phishing - but not trying is

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-10-11 Thread Paul Walsh via dev-security-policy
Everything I have ever said on this thread can now be found in one article: https://casecurity.org/2019/10/10/the-insecure-elephant-in-the-room/ This was by invitation of the CA Security Council a few months ago. I have never worked for a CA and I have never had any reason to say anything in

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-10-11 Thread Paul Walsh via dev-security-policy
I’ve replied for the record even though you say this is your last post on this particular thread, or to me. I’m good with that as I don’t think you care about what anything anyone says outside the browser vendor world anyway. > On Oct 9, 2019, at 5:09 PM, Ryan Sleevi wrote: > > > > On Wed,

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-10-14 Thread Paul Walsh via dev-security-policy
I have two questions Ronald: 1. What should I look for? I just see a DV cert from Let’s Encrypt. 2. Why did you message the entire community about whatever it is you’ve found? Thanks, Paul Sent from my iPhone > On Oct 12, 2019, at 11:04 AM, Ronald Crane via dev-security-policy > wrote: >

Re: Firefox removes UI for site identity

2019-10-24 Thread Paul Walsh via dev-security-policy
> On Oct 24, 2019, at 2:59 PM, Julien Vehent via dev-security-policy > wrote: > > On Thursday, October 24, 2019 at 5:31:59 PM UTC-4, Paul Walsh wrote: >> There is zero data from any company to prove that browser UI for website >> identity can’t work. > >

Re: Firefox removes UI for site identity

2019-10-24 Thread Paul Walsh via dev-security-policy
On Oct 24, 2019, at 12:36 PM, Phillip Hallam-Baker via dev-security-policy wrote: > > Eric, > > I am not going to be gaslighted here. > > Just what was your email supposed to do other than "suppressing dialogue > within this community"? > > I was making no threat, but if I was still working

Re: [FORGED] Re: Firefox removes UI for site identity

2019-10-24 Thread Paul Walsh via dev-security-policy
> On Oct 24, 2019, at 6:53 PM, Peter Gutmann wrote: > > Paul Walsh via dev-security-policy > writes: > >> we conducted the same research with 85,000 active users over a period of >> 12 months > > As I've already pointed out weeks ago when you first raised

Re: [FORGED] Re: Firefox removes UI for site identity

2019-10-24 Thread Paul Walsh via dev-security-policy
On Oct 24, 2019, at 6:53 PM, Peter Gutmann wrote: >> >> Paul Walsh via dev-security-policy >> writes: >> >>> we conducted the same research with 85,000 active users over a period of >>> 12 months >> >> As I've already pointed out weeks a

Re: [FORGED] Firefox removes UI for site identity

2019-10-28 Thread Paul Walsh via dev-security-policy
> On Oct 28, 2019, at 2:12 PM, James Burton wrote: > > [PW] Phil knows more about the intent so I’ll defer to his response at the > end of this thread. I would like to add that computer screens bigger than > mobile devices aren’t going away. So focusing only on mobile isn’t a good > idea. >

Re: [FORGED] Firefox removes UI for site identity

2019-10-28 Thread Paul Walsh via dev-security-policy
On Oct 25, 2019, at 7:56 AM, Phillip Hallam-Baker wrote: > > > > On Fri, Oct 25, 2019 at 4:21 AM James Burton > wrote: > Extended validation was introduced at a time when mostly everyone browsed the > internet using low/medium resolution large screen devices that

Re: [FORGED] Firefox removes UI for site identity

2019-10-28 Thread Paul Walsh via dev-security-policy
> On Oct 28, 2019, at 3:39 PM, Wayne Thayer wrote: > > Hi Paul, > > On Mon, Oct 28, 2019 at 2:41 PM Paul Walsh via dev-security-policy > <mailto:dev-security-policy@lists.mozilla.org>> wrote: > > [PW] So you dislike Mozilla’s implementation for the tracker

Re: [FORGED] Firefox removes UI for site identity

2019-10-29 Thread Paul Walsh via dev-security-policy
taken from a competitor with links to their work. If you disagree with my conclusions, say so. But throwing insults is hardly adding value, is it? - Paul > > Thank you > > Burton > > On Tue, Oct 29, 2019 at 5:55 PM Paul Walsh via dev-security-policy > <mailto:dev-

Re: [FORGED] Firefox removes UI for site identity

2019-10-29 Thread Paul Walsh via dev-security-policy
Hi Nick, > On Oct 29, 2019, at 7:07 AM, Nick Lamb wrote: > > On Mon, 28 Oct 2019 16:19:30 -0700 > Paul Walsh via dev-security-policy > wrote: >> If you believe the visual indicator has little or no value why did >> you add it? > > The EV indication dates

Re: [FORGED] Firefox removes UI for site identity

2019-10-29 Thread Paul Walsh via dev-security-policy
competitor with links to their work. If you > disagree with my conclusions, say so. But throwing insults is hardly adding > value, is it? > > - Paul > >> >> Thank you >> >> Burton >> >> On Tue, Oct 29, 2019 at 5:55 PM Paul Walsh via dev-security-policy >

Re: [FORGED] Firefox removes UI for site identity

2019-10-29 Thread Paul Walsh via dev-security-policy
If you > disagree with my conclusions, say so. But throwing insults is hardly adding > value, is it? > > - Paul > >> >> Thank you >> >> Burton >> >> On Tue, Oct 29, 2019 at 5:55 PM Paul Walsh via dev-security-policy >> > <

Re: Firefox removes UI for site identity

2019-10-22 Thread Paul Walsh via dev-security-policy
ollouts > and a general delay in users updating). > > Cheers, > > Johann > > On Tue, Oct 22, 2019 at 9:06 PM Paul Walsh via dev-security-policy > <mailto:dev-security-policy@lists.mozilla.org>> wrote: > Directly question for Mozilla. > >

Re: Firefox removes UI for site identity

2019-10-23 Thread Paul Walsh via dev-security-policy
On Oct 22, 2019, at 4:49 PM, Matt Palmer via dev-security-policy wrote: > > On Tue, Oct 22, 2019 at 03:35:52PM -0700, Kirk Hall via dev-security-policy > wrote: >> I also have a question for Mozilla on the removal of the EV UI. > > This is a mischaracterisation. The EV UI has not been

Re: Germany's cyber-security agency [BSI] recommends Firefox as most secure browser

2019-10-18 Thread Paul Walsh via dev-security-policy
> On Oct 18, 2019, at 7:55 AM, scott.helme--- via dev-security-policy > wrote: > > >> I hope the Mozilla community will celebrate this honor, but will also >> reconsider its proposal to drop support for EV certificates – that would >> mean that Firefox no longer meets all BSI requirements

Re: [FORGED] Re: Germany's cyber-security agency [BSI] recommends Firefox as most secure browser

2019-10-18 Thread Paul Walsh via dev-security-policy
On Oct 18, 2019, at 6:31 PM, Peter Gutmann wrote: > > Paul Walsh via dev-security-policy > writes: > >> I have no evidence to prove what I’m about to say, but I *suspect* that the >> people at BSI specified “EV” over the use of other terms because of the >>

Re: [FORGED] Re: Germany's cyber-security agency [BSI] recommends Firefox as most secure browser

2019-10-18 Thread Paul Walsh via dev-security-policy
On Oct 18, 2019, at 6:39 PM, Peter Bowen wrote: > >  >> On Fri, Oct 18, 2019 at 6:31 PM Peter Gutmann via dev-security-policy >> wrote: > >> Paul Walsh via dev-security-policy >> writes: >> >> >I have no evidence to prove what I’m about to

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-10-16 Thread Paul Walsh via dev-security-policy
/casecurity.org/2019/10/10/the-insecure-elephant-in-the-room/ <https://casecurity.org/2019/10/10/the-insecure-elephant-in-the-room/> Thanks, - Paul > > -R > > On 10/14/2019 11:10 AM, Paul Walsh via dev-security-policy wrote: >> I have two questions Ronald: >> >&

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-10-16 Thread Paul Walsh via dev-security-policy
; On 10/14/2019 11:10 AM, Paul Walsh via dev-security-policy wrote: >> I have two questions Ronald: >> >> 1. What should I look for? I just see a DV cert from Let’s Encrypt. >> >> 2. Why did you message the entire community about whatever it is you’ve >>

Firefox removes UI for site identity

2019-10-22 Thread Paul Walsh via dev-security-policy
Directly question for Mozilla. Today, the website identity UI was removed from Firefox. “We" new it was coming. But millions of users didn’t. Why wasn’t this mentioned in the release notes on the page that’s automatically opened following the update? Someone might say “they didn’t know it