Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-28 Thread Matt Palmer via dev-security-policy
On Wed, Aug 28, 2019 at 11:51:37AM -0700, Josef Schneider via dev-security-policy wrote: > Am Dienstag, 27. August 2019 00:48:38 UTC+2 schrieb Matt Palmer: > > On Mon, Aug 26, 2019 at 05:39:14AM -0700, Josef Schneider via > > dev-security-policy wrote: > > > Sure I can register a company and get

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-28 Thread Josef Schneider via dev-security-policy
Am Dienstag, 27. August 2019 00:48:38 UTC+2 schrieb Matt Palmer: > On Mon, Aug 26, 2019 at 05:39:14AM -0700, Josef Schneider via > dev-security-policy wrote: > > Sure I can register a company and get an EV certificate for that company. > > But can I do this completely anonymous like getting a DV

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-26 Thread Matt Palmer via dev-security-policy
On Mon, Aug 26, 2019 at 05:39:14AM -0700, Josef Schneider via dev-security-policy wrote: > Sure I can register a company and get an EV certificate for that company. > But can I do this completely anonymous like getting a DV cert? Yes. > Nobody is arguing that EV certificates are perfect and

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-26 Thread Ronald Crane via dev-security-policy
On 8/26/2019 5:39 AM, Josef Schneider via dev-security-policy wrote: Am Sonntag, 18. August 2019 20:05:42 UTC+2 schrieb Ronald Crane: On 8/18/2019 12:39 AM, Leo Grove via dev-security-policy wrote: Deploying a Stripe Inc EV SSL from a state other than CA is one thing, but using an EV SSL in

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-26 Thread Wayne Thayer via dev-security-policy
On Mon, Aug 26, 2019 at 5:39 AM Josef Schneider via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Am Sonntag, 18. August 2019 20:05:42 UTC+2 schrieb Ronald Crane: > > On 8/18/2019 12:39 AM, Leo Grove via dev-security-policy wrote: > > > Deploying a Stripe Inc EV SSL from a

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-26 Thread Josef Schneider via dev-security-policy
Am Sonntag, 18. August 2019 20:05:42 UTC+2 schrieb Ronald Crane: > On 8/18/2019 12:39 AM, Leo Grove via dev-security-policy wrote: > > Deploying a Stripe Inc EV SSL from a state other than CA is one thing, but > > using an EV SSL in conjunction with a domain name and website with the true > >

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-19 Thread scott.helme--- via dev-security-policy
> > What evidence or research shows that the new location is providing better > protection for the end users? What evidence or research shows that any location provides any protection for the end users? ___ dev-security-policy mailing list

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-18 Thread Matt Palmer via dev-security-policy
On Sun, Aug 18, 2019 at 09:14:52AM +0200, Paul van Brouwershaven wrote: > On Sun, 18 Aug 2019, 07:18 Matt Palmer via dev-security-policy, < > dev-security-policy@lists.mozilla.org> wrote: > > On Thu, Aug 15, 2019 at 05:58:56PM +, Doug Beattie via > > dev-security-policy wrote: > > > Shouldn’t

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-18 Thread Peter Gutmann via dev-security-policy
Daniel Marschall via dev-security-policy writes: >I just looked at Opera and noticed that they don't have any UI difference at >all, which means I have to open the X.509 certificate to see if it is EV or >not. Does anyone know when Opera made the change? They had EV UI at one point, and then

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-18 Thread Matt Palmer via dev-security-policy
On Sun, Aug 18, 2019 at 01:35:55PM -0700, Daniel Marschall via dev-security-policy wrote: > Am Sonntag, 18. August 2019 07:18:56 UTC+2 schrieb Matt Palmer: > > [...] From what I can see so far, > > browser vendors aren't "ending" EV certificates, a couple of them are merely > > modifying their

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-18 Thread Daniel Marschall via dev-security-policy
Am Sonntag, 18. August 2019 07:18:56 UTC+2 schrieb Matt Palmer: > > [...] From what I can see so far, > browser vendors aren't "ending" EV certificates, a couple of them are merely > modifying their UIs guided by relevant research into the efficacy (or lack > thereof) of the current UI. > > -

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-18 Thread Ronald Crane via dev-security-policy
On 8/18/2019 12:39 AM, Leo Grove via dev-security-policy wrote: Deploying a Stripe Inc EV SSL from a state other than CA is one thing, but using an EV SSL in conjunction with a domain name and website with the true intent to dupe potential customers is another matter. I'm trying to get past

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-18 Thread Leo Grove via dev-security-policy
On Sunday, August 18, 2019 at 12:15:58 AM UTC-5, Matt Palmer wrote: > On Fri, Aug 16, 2019 at 10:03:53PM -0700, Leo Grove via dev-security-policy > wrote: > > However, as a user I support EV SSL. I personally have never come across > > a scam site that displayed an EV SSL (I'm not saying they

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-18 Thread Paul van Brouwershaven via dev-security-policy
On Sun, 18 Aug 2019, 07:18 Matt Palmer via dev-security-policy, < dev-security-policy@lists.mozilla.org> wrote: > On Thu, Aug 15, 2019 at 05:58:56PM +, Doug Beattie via > dev-security-policy wrote: > > Shouldn’t the large enterprises that see a value in identity (as > > does GlobalSign) drive

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-17 Thread Matt Palmer via dev-security-policy
On Fri, Aug 16, 2019 at 01:37:40PM +, Doug Beattie via dev-security-policy wrote: > DB: Yes, that's true. I was saying that phishing sites don't use EV, not > that EV sites don't get phished > > Surely this shows that EV is not needed to make phishing work, not that EV > reduces phishing?

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-17 Thread Matt Palmer via dev-security-policy
On Thu, Aug 15, 2019 at 05:58:56PM +, Doug Beattie via dev-security-policy wrote: > Shouldn’t the large enterprises that see a value in identity (as > does GlobalSign) drive the need for ending EV certificates? Can you point me to the in-progress discussion in the CA/B Forum lists that is

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-17 Thread Matt Palmer via dev-security-policy
On Fri, Aug 16, 2019 at 10:03:53PM -0700, Leo Grove via dev-security-policy wrote: > However, as a user I support EV SSL. I personally have never come across > a scam site that displayed an EV SSL (I'm not saying they don't exist). > Has anyone else come across a "scam site" displaying EV

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Leo Grove via dev-security-policy
I don't know about other CAs, but at SSL.com we issue a very limited number of EV SSL certificates in comparison to other certificates so it's not a big revenue driver. However, as a user I support EV SSL. I personally have never come across a scam site that displayed an EV SSL (I'm not saying

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Peter Gutmann via dev-security-policy
Leo Grove via dev-security-policy writes: >Are you referring to EV Code Signing certificates? I agree that needs to be >addressed in another forum, but this discussion in on EV SSL/TLS and their >value (or lack thereof) in the browser UI. Browsers do not support EV Code >Signing in the UI as

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Peter Gutmann via dev-security-policy
Doug Beattie writes: >One of the reasons that phishers don’t get EV certificates is because the >vetting process requires several interactions and corporate repositories >which end up revealing more about their identity. This leaves a trail back >to the individual that set up the fake site

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Leo Grove via dev-security-policy
> > See also the screenshot I posted earlier.  That was from a black-market web > site selling EV certificates to anyone with the stolen credit cards to pay for > them.  These are legit EV certs issued to legit companies, available off the > shelf for criminals to use.  For a little extra payment

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread tegeran--- via dev-security-policy
On Thursday, August 15, 2019 at 10:59:32 AM UTC-7, Doug Beattie wrote: > Yes, I work for a CA that issues EV certificates, but if there was no value > in them, then our customers would certainly not be paying extra for them. > Shouldn’t the large enterprises that see a value in identity (as

RE: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Zu via dev-security-policy
.auckland.ac.nz; mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out of > the URL bar > > On Fri, 16 Aug 2019 at 14:31, Doug Beattie via dev-security-policy > mailto:dev-security-policy@lists.mozilla.org > w

RE: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Doug Beattie via dev-security-policy
From: Ben Laurie Sent: Friday, August 16, 2019 9:33 AM To: Doug Beattie Cc: Jonathan Rudenberg ; Peter Gutmann ; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar On Fri, 16 Aug 2019 at 14:31, Doug

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Ben Laurie via dev-security-policy
On Fri, 16 Aug 2019 at 14:31, Doug Beattie via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > DB: Yes, that's true. I was saying that phishing sites don't use EV, not > that EV sites don't get phished Surely this shows that EV is not needed to make phishing work, not that

RE: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Doug Beattie via dev-security-policy
From: Jonathan Rudenberg Sent: Friday, August 16, 2019 9:04 AM To: Doug Beattie ; Peter Gutmann ; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar On Fri, Aug 16, 2019, at 07:56, Doug Beattie via dev

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Jonathan Rudenberg via dev-security-policy
On Fri, Aug 16, 2019, at 07:56, Doug Beattie via dev-security-policy wrote: > Peter, > > I'm not claiming that EV reduces phishing globally, just for those sites > that use them. Do you have a chart that breaks down phishing attacks by SSL > certificate type? > > Here is some research that

RE: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Doug Beattie via dev-security-policy
sites are safer: https://cabforum.org/wp-content/uploads/23.-Update-on-London-Protocol.pdf -Original Message- From: Peter Gutmann Sent: Thursday, August 15, 2019 10:03 PM To: Doug Beattie ; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Fwd: Intent to Ship: Move Extended

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Peter Gutmann via dev-security-policy
Eric Mill writes: >CAs should be careful about casually and dramatically overestimating the >roadblocks that EV certificates present to attackers. See also the screenshot I posted earlier.  That was from a black-market web site selling EV certificates to anyone with the stolen credit cards to

RE: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Robin.Lin
> -Original Message- > From: dev-security-policy On > Behalf Of Peter Gutmann via dev-security-policy > Sent: Friday, August 16, 2019 10:03 AM > To: Doug Beattie ; > mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Fwd: Intent to Ship: Move Extended Valid

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Peter Gutmann via dev-security-policy
Doug Beattie writes: >So far I see is a number of contrived test cases picking apart small >components of EV, and no real data to back it up. See the phishing stats from any source you care to use. I've already mentioned the APWG which I consider the premier source, and also linked to the SSL

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Peter Gutmann via dev-security-policy
Doug Beattie writes: >Do you have any empirical data to backup the claims that there is no benefit >from EV certificates? Uhhh... I don't even know where to start. We have over ten years of data and research publications on this, and the lack of benefit was explicitly cited by Google and

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Eric Mill via dev-security-policy
/cabforum.org/wp-content/uploads/23.-Update-on-London-Protocol.pdf > > > > Baffled… > > > > > > > > From: Tom Ritter > Sent: Thursday, August 15, 2019 1:13 PM > To: Doug Beattie > Cc: Peter Gutmann ; MozPol < > mozilla-dev-security-pol...@lists

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Ian Carroll via dev-security-policy
affled… > > > > > > > > From: Tom Ritter > Sent: Thursday, August 15, 2019 1:13 PM > To: Doug Beattie > Cc: Peter Gutmann ; MozPol > > Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out of > the URL bar >

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Eric Rescorla via dev-security-policy
t; On > Behalf Of Peter Gutmann via dev-security-policy > Sent: Wednesday, August 14, 2019 9:04 PM > To: mozilla-dev-security-pol...@lists.mozilla.org; Jakob Bohm > > Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out > of the URL bar >

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread James Burton via dev-security-policy
My understanding of the days before EV was that the CAs themselves made up the validation requirements for DV and because of this there was an uneven validation requirements across the industry. EV was the first document created to solve this and standardise validation requirements for a

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Ronald Crane via dev-security-policy
On 8/15/2019 10:58 AM, Doug Beattie via dev-security-policy wrote: So far I see is a number of contrived test cases picking apart small components of EV, and no real data to back it up. I also would like to see more evidence of problems. However, I have to object to the idea that Mostly

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Eric Mill via dev-security-policy
Thursday, August 15, 2019 1:13 PM > To: Doug Beattie > Cc: Peter Gutmann ; MozPol < > mozilla-dev-security-pol...@lists.mozilla.org> > Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out > of the URL bar > > > > > > On Thu, Aug 1

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Tom Ritter via dev-security-policy
On Thu, Aug 15, 2019, 7:46 AM Doug Beattie via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Peter, > > Do you have any empirical data to backup the claims that there is no > benefit > from EV certificates? From the reports I've seen, the percentage of > phishing and

RE: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Doug Beattie via dev-security-policy
Message- From: dev-security-policy On Behalf Of Peter Gutmann via dev-security-policy Sent: Wednesday, August 14, 2019 9:04 PM To: mozilla-dev-security-pol...@lists.mozilla.org; Jakob Bohm Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar Jakob Bohm

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-14 Thread Peter Gutmann via dev-security-policy
Jakob Bohm via dev-security-policy writes: >Problem example: >[...] You're explaining how it's supposed to work in theory, not in the real world. We have a decade of real-world data showing that it doesn't work, that there's no benefit from EV certificates apart from the one to CA's balance

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-14 Thread Jakob Bohm via dev-security-policy
On 14/08/2019 21:55, Peter Bowen wrote: On Wed, Aug 14, 2019 at 10:16 AM Jakob Bohm wrote: On 14/08/2019 18:18, Peter Bowen wrote: On thing I've found really useful in working on user experience is to discuss things using problem & solution statements that show the before and after. For

Re: [FORGED] Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-14 Thread Peter Gutmann via dev-security-policy
Peter Bowen via dev-security-policy writes: >I have to admit that I'm a little confused by this whole discussion. While >I've been involved with PKI for a while, I've never been clear on the >problem(s) that need to be solved that drove the browser UIs and creation of >EV certificates. Oh,

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-14 Thread Peter Bowen via dev-security-policy
On Wed, Aug 14, 2019 at 10:16 AM Jakob Bohm wrote: > On 14/08/2019 18:18, Peter Bowen wrote: > > On thing I've found really useful in working on user experience is to > > discuss things using problem & solution statements that show the before > and > > after. For example, "It used to take 10

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-14 Thread Ryan Sleevi via dev-security-policy
On Wed, Aug 14, 2019 at 1:16 PM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > EV was originally an initiative to make the CAs properly vet OV > certificates, and to mark those CAs that had done a proper job. > EV issuing CAs were permitted to still sell the

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-14 Thread Jakob Bohm via dev-security-policy
On 14/08/2019 18:18, Peter Bowen wrote: On Tue, Aug 13, 2019 at 4:24 AM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: A policy of switching from positive to negative indicators of security differences is no justification to switch to NO indication. And it

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-14 Thread Peter Bowen via dev-security-policy
On Tue, Aug 13, 2019 at 4:24 AM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > A policy of switching from positive to negative indicators of security > differences is no justification to switch to NO indication. And it > certainly doesn't help user

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-13 Thread Peter Gutmann via dev-security-policy
Daniel Marschall via dev-security-policy writes: >I share the opinion with Jakob, except with the CVE. Please remove this >change. It is unnecessary and kills the EV market. And that was my motivation for the previous question: We know from a decade of data that EV certs haven't made any

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-13 Thread Daniel Marschall via dev-security-policy
I share the opinion with Jakob, except with the CVE. Please remove this change. It is unnecessary and kills the EV market. But if you insist on keeping that UI change, maybe you can at least give the lock symbol a different color if it is an EV cert?

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-13 Thread Jakob Bohm via dev-security-policy
DO NOT SHIP THIS. Revert the change immediately and request a CVE number for the nightlies with this change included. That Chrome does something harmful is not surprising, and is no justification for a supposedly independent browser to do the same. A policy of switching from positive to