On Wed, Aug 28, 2019 at 11:51:37AM -0700, Josef Schneider via
dev-security-policy wrote:
> Am Dienstag, 27. August 2019 00:48:38 UTC+2 schrieb Matt Palmer:
> > On Mon, Aug 26, 2019 at 05:39:14AM -0700, Josef Schneider via
> > dev-security-policy wrote:
> > > Sure I can register a company and get
Am Dienstag, 27. August 2019 00:48:38 UTC+2 schrieb Matt Palmer:
> On Mon, Aug 26, 2019 at 05:39:14AM -0700, Josef Schneider via
> dev-security-policy wrote:
> > Sure I can register a company and get an EV certificate for that company.
> > But can I do this completely anonymous like getting a DV
On Mon, Aug 26, 2019 at 05:39:14AM -0700, Josef Schneider via
dev-security-policy wrote:
> Sure I can register a company and get an EV certificate for that company.
> But can I do this completely anonymous like getting a DV cert?
Yes.
> Nobody is arguing that EV certificates are perfect and
On 8/26/2019 5:39 AM, Josef Schneider via dev-security-policy wrote:
Am Sonntag, 18. August 2019 20:05:42 UTC+2 schrieb Ronald Crane:
On 8/18/2019 12:39 AM, Leo Grove via dev-security-policy wrote:
Deploying a Stripe Inc EV SSL from a state other than CA is one thing, but
using an EV SSL in
On Mon, Aug 26, 2019 at 5:39 AM Josef Schneider via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Am Sonntag, 18. August 2019 20:05:42 UTC+2 schrieb Ronald Crane:
> > On 8/18/2019 12:39 AM, Leo Grove via dev-security-policy wrote:
> > > Deploying a Stripe Inc EV SSL from a
Am Sonntag, 18. August 2019 20:05:42 UTC+2 schrieb Ronald Crane:
> On 8/18/2019 12:39 AM, Leo Grove via dev-security-policy wrote:
> > Deploying a Stripe Inc EV SSL from a state other than CA is one thing, but
> > using an EV SSL in conjunction with a domain name and website with the true
> >
>
> What evidence or research shows that the new location is providing better
> protection for the end users?
What evidence or research shows that any location provides any protection for
the end users?
___
dev-security-policy mailing list
On Sun, Aug 18, 2019 at 09:14:52AM +0200, Paul van Brouwershaven wrote:
> On Sun, 18 Aug 2019, 07:18 Matt Palmer via dev-security-policy, <
> dev-security-policy@lists.mozilla.org> wrote:
> > On Thu, Aug 15, 2019 at 05:58:56PM +, Doug Beattie via
> > dev-security-policy wrote:
> > > Shouldn’t
Daniel Marschall via dev-security-policy
writes:
>I just looked at Opera and noticed that they don't have any UI difference at
>all, which means I have to open the X.509 certificate to see if it is EV or
>not.
Does anyone know when Opera made the change? They had EV UI at one point, and
then
On Sun, Aug 18, 2019 at 01:35:55PM -0700, Daniel Marschall via
dev-security-policy wrote:
> Am Sonntag, 18. August 2019 07:18:56 UTC+2 schrieb Matt Palmer:
> > [...] From what I can see so far,
> > browser vendors aren't "ending" EV certificates, a couple of them are merely
> > modifying their
Am Sonntag, 18. August 2019 07:18:56 UTC+2 schrieb Matt Palmer:
>
> [...] From what I can see so far,
> browser vendors aren't "ending" EV certificates, a couple of them are merely
> modifying their UIs guided by relevant research into the efficacy (or lack
> thereof) of the current UI.
>
> -
On 8/18/2019 12:39 AM, Leo Grove via dev-security-policy wrote:
Deploying a Stripe Inc EV SSL from a state other than CA is one thing, but
using an EV SSL in conjunction with a domain name and website with the true
intent to dupe potential customers is another matter. I'm trying to get past
On Sunday, August 18, 2019 at 12:15:58 AM UTC-5, Matt Palmer wrote:
> On Fri, Aug 16, 2019 at 10:03:53PM -0700, Leo Grove via dev-security-policy
> wrote:
> > However, as a user I support EV SSL. I personally have never come across
> > a scam site that displayed an EV SSL (I'm not saying they
On Sun, 18 Aug 2019, 07:18 Matt Palmer via dev-security-policy, <
dev-security-policy@lists.mozilla.org> wrote:
> On Thu, Aug 15, 2019 at 05:58:56PM +, Doug Beattie via
> dev-security-policy wrote:
> > Shouldn’t the large enterprises that see a value in identity (as
> > does GlobalSign) drive
On Fri, Aug 16, 2019 at 01:37:40PM +, Doug Beattie via dev-security-policy
wrote:
> DB: Yes, that's true. I was saying that phishing sites don't use EV, not
> that EV sites don't get phished
>
> Surely this shows that EV is not needed to make phishing work, not that EV
> reduces phishing?
On Thu, Aug 15, 2019 at 05:58:56PM +, Doug Beattie via dev-security-policy
wrote:
> Shouldn’t the large enterprises that see a value in identity (as
> does GlobalSign) drive the need for ending EV certificates?
Can you point me to the in-progress discussion in the CA/B Forum lists
that is
I don't know about other CAs, but at SSL.com we issue a very limited number of
EV SSL certificates in comparison to other certificates so it's not a big
revenue driver.
However, as a user I support EV SSL. I personally have never come across a scam
site that displayed an EV SSL (I'm not saying
Leo Grove via dev-security-policy
writes:
>Are you referring to EV Code Signing certificates? I agree that needs to be
>addressed in another forum, but this discussion in on EV SSL/TLS and their
>value (or lack thereof) in the browser UI. Browsers do not support EV Code
>Signing in the UI as
Doug Beattie writes:
>One of the reasons that phishers don’t get EV certificates is because the
>vetting process requires several interactions and corporate repositories
>which end up revealing more about their identity. This leaves a trail back
>to the individual that set up the fake site
>
> See also the screenshot I posted earlier. That was from a black-market web
> site selling EV certificates to anyone with the stolen credit cards to pay for
> them. These are legit EV certs issued to legit companies, available off the
> shelf for criminals to use. For a little extra payment
On Thursday, August 15, 2019 at 10:59:32 AM UTC-7, Doug Beattie wrote:
> Yes, I work for a CA that issues EV certificates, but if there was no value
> in them, then our customers would certainly not be paying extra for them.
> Shouldn’t the large enterprises that see a value in identity (as
.auckland.ac.nz; mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out of
> the URL bar
>
> On Fri, 16 Aug 2019 at 14:31, Doug Beattie via dev-security-policy
> mailto:dev-security-policy@lists.mozilla.org > w
From: Ben Laurie
Sent: Friday, August 16, 2019 9:33 AM
To: Doug Beattie
Cc: Jonathan Rudenberg ; Peter Gutmann
; mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out of
the URL bar
On Fri, 16 Aug 2019 at 14:31, Doug
On Fri, 16 Aug 2019 at 14:31, Doug Beattie via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> DB: Yes, that's true. I was saying that phishing sites don't use EV, not
> that EV sites don't get phished
Surely this shows that EV is not needed to make phishing work, not that
From: Jonathan Rudenberg
Sent: Friday, August 16, 2019 9:04 AM
To: Doug Beattie ; Peter Gutmann
; mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out
of the URL bar
On Fri, Aug 16, 2019, at 07:56, Doug Beattie via dev
On Fri, Aug 16, 2019, at 07:56, Doug Beattie via dev-security-policy wrote:
> Peter,
>
> I'm not claiming that EV reduces phishing globally, just for those sites
> that use them. Do you have a chart that breaks down phishing attacks by SSL
> certificate type?
>
> Here is some research that
sites are safer:
https://cabforum.org/wp-content/uploads/23.-Update-on-London-Protocol.pdf
-Original Message-
From: Peter Gutmann
Sent: Thursday, August 15, 2019 10:03 PM
To: Doug Beattie ;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Fwd: Intent to Ship: Move Extended
Eric Mill writes:
>CAs should be careful about casually and dramatically overestimating the
>roadblocks that EV certificates present to attackers.
See also the screenshot I posted earlier. That was from a black-market web
site selling EV certificates to anyone with the stolen credit cards to
> -Original Message-
> From: dev-security-policy On
> Behalf Of Peter Gutmann via dev-security-policy
> Sent: Friday, August 16, 2019 10:03 AM
> To: Doug Beattie ;
> mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: Fwd: Intent to Ship: Move Extended Valid
Doug Beattie writes:
>So far I see is a number of contrived test cases picking apart small
>components of EV, and no real data to back it up.
See the phishing stats from any source you care to use. I've already
mentioned the APWG which I consider the premier source, and also linked to the
SSL
Doug Beattie writes:
>Do you have any empirical data to backup the claims that there is no benefit
>from EV certificates?
Uhhh... I don't even know where to start. We have over ten years of data and
research publications on this, and the lack of benefit was explicitly cited by
Google and
/cabforum.org/wp-content/uploads/23.-Update-on-London-Protocol.pdf
>
>
>
> Baffled…
>
>
>
>
>
>
>
> From: Tom Ritter
> Sent: Thursday, August 15, 2019 1:13 PM
> To: Doug Beattie
> Cc: Peter Gutmann ; MozPol <
> mozilla-dev-security-pol...@lists
affled…
>
>
>
>
>
>
>
> From: Tom Ritter
> Sent: Thursday, August 15, 2019 1:13 PM
> To: Doug Beattie
> Cc: Peter Gutmann ; MozPol
>
> Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out of
> the URL bar
>
t; On
> Behalf Of Peter Gutmann via dev-security-policy
> Sent: Wednesday, August 14, 2019 9:04 PM
> To: mozilla-dev-security-pol...@lists.mozilla.org; Jakob Bohm
>
> Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out
> of the URL bar
>
My understanding of the days before EV was that the CAs themselves made up
the validation requirements for DV and because of this there was an uneven
validation requirements across the industry. EV was the first document
created to solve this and standardise validation requirements for a
On 8/15/2019 10:58 AM, Doug Beattie via dev-security-policy wrote:
So far I see is a number of contrived test cases picking apart small components
of EV, and no real data to back it up.
I also would like to see more evidence of problems. However, I have to
object to the idea that
Mostly
Thursday, August 15, 2019 1:13 PM
> To: Doug Beattie
> Cc: Peter Gutmann ; MozPol <
> mozilla-dev-security-pol...@lists.mozilla.org>
> Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out
> of the URL bar
>
>
>
>
>
> On Thu, Aug 1
On Thu, Aug 15, 2019, 7:46 AM Doug Beattie via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Peter,
>
> Do you have any empirical data to backup the claims that there is no
> benefit
> from EV certificates? From the reports I've seen, the percentage of
> phishing and
Message-
From: dev-security-policy On
Behalf Of Peter Gutmann via dev-security-policy
Sent: Wednesday, August 14, 2019 9:04 PM
To: mozilla-dev-security-pol...@lists.mozilla.org; Jakob Bohm
Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out
of the URL bar
Jakob Bohm
Peter Bowen via dev-security-policy
writes:
>I have to admit that I'm a little confused by this whole discussion. While
>I've been involved with PKI for a while, I've never been clear on the
>problem(s) that need to be solved that drove the browser UIs and creation of
>EV certificates.
Oh,
On Wed, Aug 14, 2019 at 10:16 AM Jakob Bohm wrote:
> On 14/08/2019 18:18, Peter Bowen wrote:
> > On thing I've found really useful in working on user experience is to
> > discuss things using problem & solution statements that show the before
> and
> > after. For example, "It used to take 10
On Wed, Aug 14, 2019 at 1:16 PM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> EV was originally an initiative to make the CAs properly vet OV
> certificates, and to mark those CAs that had done a proper job.
> EV issuing CAs were permitted to still sell the
On 14/08/2019 18:18, Peter Bowen wrote:
On Tue, Aug 13, 2019 at 4:24 AM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
A policy of switching from positive to negative indicators of security
differences is no justification to switch to NO indication. And it
On Tue, Aug 13, 2019 at 4:24 AM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> A policy of switching from positive to negative indicators of security
> differences is no justification to switch to NO indication. And it
> certainly doesn't help user
Daniel Marschall via dev-security-policy
writes:
>I share the opinion with Jakob, except with the CVE. Please remove this
>change. It is unnecessary and kills the EV market.
And that was my motivation for the previous question: We know from a decade of
data that EV certs haven't made any
I share the opinion with Jakob, except with the CVE. Please remove this change.
It is unnecessary and kills the EV market.
But if you insist on keeping that UI change, maybe you can at least give the
lock symbol a different color if it is an EV cert?
DO NOT SHIP THIS. Revert the change immediately and request a CVE
number for the nightlies with this change included.
That Chrome does something harmful is not surprising, and is no
justification for a supposedly independent browser to do the same.
A policy of switching from positive to
47 matches
Mail list logo
