Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-28 Thread Matt Palmer via dev-security-policy
On Wed, Aug 28, 2019 at 11:51:37AM -0700, Josef Schneider via 
dev-security-policy wrote:
> Am Dienstag, 27. August 2019 00:48:38 UTC+2 schrieb Matt Palmer:
> > On Mon, Aug 26, 2019 at 05:39:14AM -0700, Josef Schneider via 
> > dev-security-policy wrote:
> > > Sure I can register a company and get an EV certificate for that company. 
> > > But can I do this completely anonymous like getting a DV cert?
> > 
> > Yes.
> 
> Not legally probably

Someone planning to commit fraud is unlikely to be deterred by the need to
commit fraud in order to commit fraud.

> and this also depends on the jurisdiction.  Since an
> EV cert shows the jurisdiction, a user can draw conclusions from that.

You're suggesting that Relying Parties need to familiarise themselves with
the validation procedures of every jurisdiction which is listed in an EV
certificate they are presented with, in order to establish the
trustworthiness of that EV certificate?

I'm just going to leave that there.  For posterity.

> > > Nobody is arguing that EV certificates are perfect and everything is good
> > > if you use them.  But they do raise the bar for criminals.  And in my
> > > opinion, significantly.
> > 
> > Except criminals don't need them.  Raising the bar doesn't help if you don't
> > need to go over the bar.
> 
> But removing the bar is also not the correct solution.  If you find out
> that the back door to your house is not secured properly, will you remove
> the front door because it doesn't matter anyway or do you strengthen the
> back door?

The problem with your analogy is that, in the case under discussion, there
is no known way to secure the back door, and it's the broken and unfixable
back door, not the front door, that is being removed.

So yes, if my back door was insecure, and the best information available
indicated that it couldn't be secured, and it was causing me time and money
to maintain in its current, insecure, state, I would absolutely remove it. 
I expect you would, too.  Although I can certainly understand that if you
were making money by allowing people to use my broken back door, you might
want to encourage me not to remove it.

> > > What I propose is for mozilla to not say "Fuck it, it's not working, just
> > > remove it!" but instead try to focus on finding a better UX solution to
> > > the problem that end users are not aware if a site that should have an EV
> > > certificate is not presenting one.
> > 
> > Why should Mozilla do all this work?  So far, all the evidence suggests that
> > EV certs do not do what their advocates say they do, and have a significant
> > cost to browsers (code complexity, administration of EV bits, etc) and
> > relying parties (need to learn what the EV UI means, what it does and
> > doesn't claim, etc).
> 
> Why should Mozilla do work to make the situation worse?  The current EV
> validation information in the URL works and is helpful to some users
> (maybe only a small percentage of users, but still...).  Why is mozilla
> interested in spending money making the situation worse.  If mozilla
> doesn't care about the empowerment of their users, the default would be to
> not change anything, not actively making it worse.

Not being Mozilla, I wouldn't presume to speak for them, but two
possibilities leap immediately to mind:

* It costs time and money to maintain the list of trust anchors approved for
  EV treatment -- OID mappings, evaluating EV sections of CP/CPSes, chasing
  audit reports, dealing with incident reports relating to EV validation
  failures, and discussing and evaluating proposed changes to the EVGLs.

* EV-related code in Mozilla software requires maintenance as other changes
  in surrounding code are made.  Less code == ess things to change, so
  gutting the EV support reduces maintenance costs.

> EV certificates do make more assurances about the certificate owner than
> DV certificates.  This is a fact.  This information can be very useful for
> someone that understands what it means.  Probably most users don't
> understand what it means.  But why not improve the display of this
> valuable information instead of hiding it?

Because there is no indication of what an improved EV UI would look like.

I note that you've neglected to answer the question I posed.  If CAs sat
down and did some research into what an actual, useful EV UI would involve,
then Mozilla would have something to work from.  But it would appear that
CAs -- the organisations, I'll reiterate, that benefit financially from the
continued special UI treatment of EV certificates -- are not interested in
making such a contribution.

- Matt

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-28 Thread Josef Schneider via dev-security-policy
Am Dienstag, 27. August 2019 00:48:38 UTC+2 schrieb Matt Palmer:
> On Mon, Aug 26, 2019 at 05:39:14AM -0700, Josef Schneider via 
> dev-security-policy wrote:
> > Sure I can register a company and get an EV certificate for that company. 
> > But can I do this completely anonymous like getting a DV cert?
> 
> Yes.

Not legally probably and this also depends on the jurisdiction. Since an EV 
cert shows the jurisdiction, a user can draw conclusions from that.

> > Nobody is arguing that EV certificates are perfect and everything is good
> > if you use them.  But they do raise the bar for criminals.  And in my
> > opinion, significantly.
> 
> Except criminals don't need them.  Raising the bar doesn't help if you don't
> need to go over the bar.
> 
But removing the bar is also not the correct solution. If you find out that the 
back door to your house is not secured properly, will you remove the front door 
because it doesn't matter anyway or do you strengthen the back door?


> > What I propose is for mozilla to not say "Fuck it, it's not working, just
> > remove it!" but instead try to focus on finding a better UX solution to
> > the problem that end users are not aware if a site that should have an EV
> > certificate is not presenting one.
> 
> Why should Mozilla do all this work?  So far, all the evidence suggests that
> EV certs do not do what their advocates say they do, and have a significant
> cost to browsers (code complexity, administration of EV bits, etc) and
> relying parties (need to learn what the EV UI means, what it does and
> doesn't claim, etc).

Why should Mozilla do work to make the situation worse? The current EV 
validation information in the URL works and is helpful to some users (maybe 
only a small percentage of users, but still...). Why is mozilla interested in 
spending money making the situation worse. If mozilla doesn't care about the 
empowerment of their users, the default would be to not change anything, not 
actively making it worse.

EV certificates do make more assurances about the certificate owner than DV 
certificates. This is a fact. This information can be very useful for someone 
that understands what it means. Probably most users don't understand what it 
means. But why not improve the display of this valuable information instead of 
hiding it?

Certificates cannot magically bring security. Certificates are about identity. 
But the fact that the owner of the website somebank.eu is the owner of the 
domain somebank.eu is not that helpful in determining the credibility. But the 
information that the owner of somebank.eu is a incorporated company from 
Germany officially called "Somebank AG" is more valuable. 
Maybe some people don't care and enter their account data happily at 
s0m1b4nk.xyz, maybe most people do. We don't know and we probably can't know 
how many people stopped and thought if they are actually at the correct website 
because the green bar was missing. But I am certain that it was more than zero. 

What mozilla now is proposing is: EV certificates have no use in any situation 
so basically remove them. I don't think that's true.

I am not a UX designer, but I am sure there are methods to incorporate this 
valuable information from EV certificates in a way that it is helpful to users.

Why not for example always open a small overlay with information when someone 
starts entering data in a password field? Something like "You are entering a 
password at web.page. You visited this page 5 times before, first on August 4th 
2019. We don't know anything about the owner" or for EV "You are entering a 
password at web.page. You visited this page 5 times before, first on August 4th 
2019. This server is run by "WebPage GmbH" from Vienna, Austria [fancy flag 
picture]".

As said, I am not a UX designer (or any graphical type of designer) so probably 
this idea is stupid. But my point is that the information in an EV certificate 
is useful **to the user** and should be presented in a way to empower the user 
and not be hidden.

- Josef
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-26 Thread Matt Palmer via dev-security-policy
On Mon, Aug 26, 2019 at 05:39:14AM -0700, Josef Schneider via 
dev-security-policy wrote:
> Sure I can register a company and get an EV certificate for that company. 
> But can I do this completely anonymous like getting a DV cert?

Yes.

> Nobody is arguing that EV certificates are perfect and everything is good
> if you use them.  But they do raise the bar for criminals.  And in my
> opinion, significantly.

Except criminals don't need them.  Raising the bar doesn't help if you don't
need to go over the bar.

> What I propose is for mozilla to not say "Fuck it, it's not working, just
> remove it!" but instead try to focus on finding a better UX solution to
> the problem that end users are not aware if a site that should have an EV
> certificate is not presenting one.

Why should Mozilla do all this work?  So far, all the evidence suggests that
EV certs do not do what their advocates say they do, and have a significant
cost to browsers (code complexity, administration of EV bits, etc) and
relying parties (need to learn what the EV UI means, what it does and
doesn't claim, etc).

Instead of Mozilla continuing to take on the burden of keeping this ship
afloat, why don't the parties that benefit from selling EV certs (ie CAs) do
the hard yards to figure out what works, in a rigorous and scientific way,
and then present the results of that research to the wider community?

- Matt

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-26 Thread Ronald Crane via dev-security-policy

On 8/26/2019 5:39 AM, Josef Schneider via dev-security-policy wrote:

Am Sonntag, 18. August 2019 20:05:42 UTC+2 schrieb Ronald Crane:

On 8/18/2019 12:39 AM, Leo Grove via dev-security-policy wrote:

Deploying a Stripe Inc EV SSL from a state other than CA is one thing, but 
using an EV SSL in conjunction with a domain name and website with the true 
intent to dupe potential customers is another matter. I'm trying to get past 
the theoretical and get to real world instances.

I don't understand the idea that the Stripe proof-of-concept is
"theoretical". We know that phishing is epidemic, and we also know that
phishers presently need -- at most -- a DV cert. The POC shows that --
should something cause phishers to need an EV cert -- they can also get
one of those quickly and inexpensively. But why would a phisher bother
with an EV cert if a DV cert works just as well?

The important question is can they get this without making them easily 
traceable?
Sure I can register a company and get an EV certificate for that company. But 
can I do this completely anonymous like getting a DV cert?

How long do you think would it have taken for the police to come and get Ian 
Carroll if he'd actually committed fraud?


Probably years, if ever, particularly if he lived in a subpoena-haven 
like Russia. My impression (as a U.S. citizen) is that U.S. police don't 
take online crimes seriously, and neither does the federal government. 
This idea is supported by the enormous amount of phishing and other 
online frauds in the U.S. My email client flags several new 
phishes/frauds each day. True, there has been a bit of action about the 
online crimes that subverted U.S. elections in 2016, but that's an 
unusual exception to the rule. Russia is, of course, refusing to 
extradite the people that Sp. Counsel Mueller indicted.



...What I propose is for mozilla to not say "Fuck it, it's not working, just remove 
it!" but instead try to focus on finding a better UX solution to the problem that 
end users are not aware if a site that should have an EV certificate is not presenting 
one.


I think this is a reasonable idea, particularly the last clause. I am 
not against EV, but neither am I convinced of its usefulness.


-R

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-26 Thread Wayne Thayer via dev-security-policy
On Mon, Aug 26, 2019 at 5:39 AM Josef Schneider via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> Am Sonntag, 18. August 2019 20:05:42 UTC+2 schrieb Ronald Crane:
> > On 8/18/2019 12:39 AM, Leo Grove via dev-security-policy wrote:
> > > Deploying a Stripe Inc EV SSL from a state other than CA is one thing,
> but using an EV SSL in conjunction with a domain name and website with the
> true intent to dupe potential customers is another matter. I'm trying to
> get past the theoretical and get to real world instances.
> >
> > I don't understand the idea that the Stripe proof-of-concept is
> > "theoretical". We know that phishing is epidemic, and we also know that
> > phishers presently need -- at most -- a DV cert. The POC shows that --
> > should something cause phishers to need an EV cert -- they can also get
> > one of those quickly and inexpensively. But why would a phisher bother
> > with an EV cert if a DV cert works just as well?
>
>
> The important question is can they get this without making them easily
> traceable?
> Sure I can register a company and get an EV certificate for that company.
> But can I do this completely anonymous like getting a DV cert?
>
> How long do you think would it have taken for the police to come and get
> Ian Carroll if he'd actually committed fraud?
>
> Nobody is arguing that EV certificates are perfect and everything is good
> if you use them. But they do raise the bar for criminals. And in my
> opinion, significantly.
>
> What I propose is for mozilla to not say "Fuck it, it's not working, just
> remove it!" but instead try to focus on finding a better UX solution to the
> problem that end users are not aware if a site that should have an EV
> certificate is not presenting one.
>
>
The counter-argument is that not all problems can be solved with UX, and
getting browser users to recognize and respond to the lack of an EV
indicator is in that class of unsolvable problems.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-26 Thread Josef Schneider via dev-security-policy
Am Sonntag, 18. August 2019 20:05:42 UTC+2 schrieb Ronald Crane:
> On 8/18/2019 12:39 AM, Leo Grove via dev-security-policy wrote:
> > Deploying a Stripe Inc EV SSL from a state other than CA is one thing, but 
> > using an EV SSL in conjunction with a domain name and website with the true 
> > intent to dupe potential customers is another matter. I'm trying to get 
> > past the theoretical and get to real world instances.
> 
> I don't understand the idea that the Stripe proof-of-concept is 
> "theoretical". We know that phishing is epidemic, and we also know that 
> phishers presently need -- at most -- a DV cert. The POC shows that -- 
> should something cause phishers to need an EV cert -- they can also get 
> one of those quickly and inexpensively. But why would a phisher bother 
> with an EV cert if a DV cert works just as well?


The important question is can they get this without making them easily 
traceable?
Sure I can register a company and get an EV certificate for that company. But 
can I do this completely anonymous like getting a DV cert?

How long do you think would it have taken for the police to come and get Ian 
Carroll if he'd actually committed fraud?

Nobody is arguing that EV certificates are perfect and everything is good if 
you use them. But they do raise the bar for criminals. And in my opinion, 
significantly.

What I propose is for mozilla to not say "Fuck it, it's not working, just 
remove it!" but instead try to focus on finding a better UX solution to the 
problem that end users are not aware if a site that should have an EV 
certificate is not presenting one.

- Josef
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-19 Thread scott.helme--- via dev-security-policy
> 
> What evidence or research shows that the new location is providing better
> protection for the end users?

What evidence or research shows that any location provides any protection for 
the end users? 
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-18 Thread Matt Palmer via dev-security-policy
On Sun, Aug 18, 2019 at 09:14:52AM +0200, Paul van Brouwershaven wrote:
> On Sun, 18 Aug 2019, 07:18 Matt Palmer via dev-security-policy, <
> dev-security-policy@lists.mozilla.org> wrote:
> > On Thu, Aug 15, 2019 at 05:58:56PM +, Doug Beattie via
> > dev-security-policy wrote:
> > > Shouldn’t the large enterprises that see a value in identity (as
> > > does GlobalSign) drive the need for ending EV certificates?
> >
> > Can you point me to the in-progress discussion in the CA/B Forum lists
> > that is proposing to end EV certificates?  From what I can see so far,
> > browser vendors aren't "ending" EV certificates, a couple of them are
> > merely
> > modifying their UIs guided by relevant research into the efficacy (or lack
> > thereof) of the current UI.
> 
> What evidence or research shows that the new location is providing better
> protection for the end users?

I don't think it requires rigorous research to show that 0 >= 0.

- Matt

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-18 Thread Peter Gutmann via dev-security-policy
Daniel Marschall via dev-security-policy 
 writes:

>I just looked at Opera and noticed that they don't have any UI difference at
>all, which means I have to open the X.509 certificate to see if it is EV or
>not.

Does anyone know when Opera made the change?  They had EV UI at one point, and
then there's this bug report:

https://forums.opera.com/topic/17923/ev-certificate-looks-like-ov

which blames the lack of EV UI on Chromium, so something inherited from
Chrome.  It looks like it's then just a side-effect of the Chrome change and
allegedly "fixed in 44.0.2494.0", but Chrome 57 was from 2017, which means at
some point the change got reinstated.

Peter.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-18 Thread Matt Palmer via dev-security-policy
On Sun, Aug 18, 2019 at 01:35:55PM -0700, Daniel Marschall via 
dev-security-policy wrote:
> Am Sonntag, 18. August 2019 07:18:56 UTC+2 schrieb Matt Palmer:
> > [...] From what I can see so far,
> > browser vendors aren't "ending" EV certificates, a couple of them are merely
> > modifying their UIs guided by relevant research into the efficacy (or lack
> > thereof) of the current UI.
> 
> Matt, I don't understand this.  Isn't removing the UI bling the same as
> "removing" EV from the browser?

Yes, but removing EV from the browser isn't the same as ending EV
certificates, which is what was claimed in the message I responded to.

> I guess that EV will eventually ended by the Customers/CAs.

We'll have to leave it to the invisible hand of the market to sort that out. 
If CAs cease issuing EV TLS/SSL certificates, it will presumably be because
customers are no longer buying them, and customers will cease buying them if
there is no perceived value in them, which is what CAs have repeatedly said
isn't the case.  So CAs ceasing to issue EV TLS/SSL certificates will be a
confirmation that, in fact, EV TLS/SSL certificates had no value beyond the
UI "bling", as you call it, which the research overwhelmingly indicates is
of trivial value.

> I just looked at Opera and noticed that they don't have any UI difference
> at all, which means I have to open the X.509 certificate to see if it is
> EV or not.

So that's one more browser vendor that sees no value in "UI bling" for EV
certificates.  It almost makes Firefox and Chrome look like the laggards in
this decision, rather than the harbingers of a new era.

- Matt

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-18 Thread Daniel Marschall via dev-security-policy
Am Sonntag, 18. August 2019 07:18:56 UTC+2 schrieb Matt Palmer:
> 
> [...] From what I can see so far,
> browser vendors aren't "ending" EV certificates, a couple of them are merely
> modifying their UIs guided by relevant research into the efficacy (or lack
> thereof) of the current UI.
> 
> - Matt

Matt, I don't understand this. Isn't removing the UI bling the same as 
"removing" EV from the browser? The UI difference is either so tiny or even 
not-existant, so I guess that EV will eventually ended by the Customers/CAs. I 
just looked at Opera and noticed that they don't have any UI difference at all, 
which means I have to open the X.509 certificate to see if it is EV or not.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-18 Thread Ronald Crane via dev-security-policy

On 8/18/2019 12:39 AM, Leo Grove via dev-security-policy wrote:

Deploying a Stripe Inc EV SSL from a state other than CA is one thing, but 
using an EV SSL in conjunction with a domain name and website with the true 
intent to dupe potential customers is another matter. I'm trying to get past 
the theoretical and get to real world instances.


I don't understand the idea that the Stripe proof-of-concept is 
"theoretical". We know that phishing is epidemic, and we also know that 
phishers presently need -- at most -- a DV cert. The POC shows that -- 
should something cause phishers to need an EV cert -- they can also get 
one of those quickly and inexpensively. But why would a phisher bother 
with an EV cert if a DV cert works just as well?


-R

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-18 Thread Leo Grove via dev-security-policy
On Sunday, August 18, 2019 at 12:15:58 AM UTC-5, Matt Palmer wrote:
> On Fri, Aug 16, 2019 at 10:03:53PM -0700, Leo Grove via dev-security-policy 
> wrote:
> > However, as a user I support EV SSL.  I personally have never come across
> > a scam site that displayed an EV SSL (I'm not saying they don't exist). 
> > Has anyone else come across a "scam site" displaying EV that's not part of
> > an academic exercise?
> 
> Counter-question: why does that matter?
> 
> - Matt

It matters because someone on this discussion claimed to be able to buy an EV 
SSL on the black market and used it as a supporting argument against EV. I'd 
honestly like to know if anyone has seen one in "in the wild" so to speak.

My write-up was from the perspective of a user so I'd like to know if I've been 
putting too much faith in EV SSL since there may be scam sites employing these 
pirated certificates.

Deploying a Stripe Inc EV SSL from a state other than CA is one thing, but 
using an EV SSL in conjunction with a domain name and website with the true 
intent to dupe potential customers is another matter. I'm trying to get past 
the theoretical and get to real world instances.

Leo
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-18 Thread Paul van Brouwershaven via dev-security-policy
On Sun, 18 Aug 2019, 07:18 Matt Palmer via dev-security-policy, <
dev-security-policy@lists.mozilla.org> wrote:

> On Thu, Aug 15, 2019 at 05:58:56PM +, Doug Beattie via
> dev-security-policy wrote:
> > Shouldn’t the large enterprises that see a value in identity (as
> > does GlobalSign) drive the need for ending EV certificates?
>
> Can you point me to the in-progress discussion in the CA/B Forum lists
> that is proposing to end EV certificates?  From what I can see so far,
> browser vendors aren't "ending" EV certificates, a couple of them are
> merely
> modifying their UIs guided by relevant research into the efficacy (or lack
> thereof) of the current UI.
>

What evidence or research shows that the new location is providing better
protection for the end users?
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-17 Thread Matt Palmer via dev-security-policy
On Fri, Aug 16, 2019 at 01:37:40PM +, Doug Beattie via dev-security-policy 
wrote:
> DB: Yes, that's true.  I was saying that phishing sites don't use EV, not
> that EV sites don't get phished
> 
> Surely this shows that EV is not needed to make phishing work, not that EV 
> reduces phishing?
> 
> [DB] It should show that users are safer when visiting an EV secured site.

When you have evidence of that, please feel free to share it.  Everything
that has been presented so far doesn't *actually* show that, it merely shows
something else that people then furiously hand-wave into "see, security!".

- Matt

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-17 Thread Matt Palmer via dev-security-policy
On Thu, Aug 15, 2019 at 05:58:56PM +, Doug Beattie via dev-security-policy 
wrote:
> Shouldn’t the large enterprises that see a value in identity (as
> does GlobalSign) drive the need for ending EV certificates?

Can you point me to the in-progress discussion in the CA/B Forum lists
that is proposing to end EV certificates?  From what I can see so far,
browser vendors aren't "ending" EV certificates, a couple of them are merely
modifying their UIs guided by relevant research into the efficacy (or lack
thereof) of the current UI.

- Matt

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Leo Grove via dev-security-policy
I don't know about other CAs, but at SSL.com we issue a very limited number of 
EV SSL certificates in comparison to other certificates so it's not a big 
revenue driver.

However, as a user I support EV SSL. I personally have never come across a scam 
site that displayed an EV SSL (I'm not saying they don't exist). Has anyone 
else come across a "scam site" displaying EV that's not part of an academic 
exercise?

An EV SSL only connects the site domain to its registered owner, nothing more. 
After that, I can decide whether to trust that company or if more research is 
warranted. At the end of the day, the user must make a decision based on the 
information they are given. This includes reviewing the EV SSL, domain name, 
site contents and third party reviews and listings. With the removal of EV from 
the browser UI, that's one less signal users can rely on. 

For instance, my inbox receives increasingly sophisticated spam and phishing 
mailers that require me to do double and triple takes. This results in 
legitimate emails potentially being flagged as spam. One of the signals I use 
to verify linked sites within the emails is if they display EV certificates. I 
do not entirely rely on EV, but it helps to build a subconscious trust profile 
of that site along with the domain, content, site reviews and search listings. 
As a result, I've determined on a number of occasions that the emails were 
indeed authentic in part because of the EV. In this business, paranoia is 
survival.

Recently a neighbor asked me to verify a shoe site that he just purchased 
loafers from. Several red flags (ie Chanel header banner, unfamiliar domain 
name, etc) and no EV SSL prompted me to recommend he dispute the charge. Weeks 
later he confirmed it was indeed a scam site. Had the site displayed an EV SSL, 
I would have investigated more knowing the extra effort required to pass EV 
validation. But since no EV SSL appeared on the site, I didn't feel the need to 
waste any more time on the site.

I can't be the only person whose aunt, neighbor or spouse asks me to help 
verify a site. This tells me that they do not understand how to properly read 
the EV information, not that EV SSL is bad or ineffective.

I'm confounded why anyone would want less independently verified information on 
a site as opposed to more for fear EV doesn't perfectly suit their 
expectations. Well-known sites like google.com and amazon.com might not need EV 
as much as less well-known sites, but there are only a small number of these 
well-known sites. 

In comparison, the vast majority of sites are lesser-known and could benefit 
from as many validation signals as possible. I would think a local hospital or 
credit union who are increasingly targeted by phishing scams might argue an EV 
certificate would be one of the tools to help combat these types of scams. 

No single solution is perfect to eliminate online scams including EV SSL, but 
by removing the EV UI, the proverbial baby bath water comes to mind. I think 
the original intent of EV was and still remains noble. We should try to improve 
upon it, not discard it or relegate it to a virtually useless state. 

Scammers are a wily bunch, and they will always find some success in gaming or 
circumventing any system where human trust is involved. Let's try to make if 
harder for them, not throw our hands in the air and give up. At a minimum, 
consider keeping a color coded lock that would not take up any additional 
browser real estate and would give users "in the know" the EV signal. 

Otherwise, if the browsers have finalized their collective decisions on the 
matter, I do hope something better comes along that will benefit everyone. 
Treating all SSL/TLS certs as DV I think is a step backwards to 2007 when there 
was no EV, but we all knew something more than DV or OV was needed.

Leo
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Peter Gutmann via dev-security-policy
Leo Grove via dev-security-policy  
writes:

>Are you referring to EV Code Signing certificates? I agree that needs to be
>addressed in another forum, but this discussion in on EV SSL/TLS and their
>value (or lack thereof) in the browser UI. Browsers do not support EV Code
>Signing in the UI as far as I know.
>
>It's been documented that EV Code Signing certificates are on the black
>market. Did you see the same thing for EV SSL/TLS?

Yes, you can buy both, I used the code-signing EV one because I happened to
have a screenshot handy from a writeup I'm working on.  In addition, EV code-
signing certs are much higher value, particularly when they come with
SmartScreen ratings, because they give you instant malware execution on a
billion plus systems, while EV web site certs are kinda meh.  So EV code
signing is the holy grail, the hardest to get, and yet they're readily
available on the black market.  EV web site certs are an afterthought in
comparison, "we also have those if you want 'em".

Peter.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Peter Gutmann via dev-security-policy
Doug Beattie  writes:

>One of the reasons that phishers don’t get EV certificates is because the
>vetting process requires several interactions and corporate repositories
>which end up revealing more about their identity.  This leaves a trail back
>to the individual that set up the fake site which discourages the use of EV.

Again, this is how it works in theory and in CA sales pitches (OK, that second
bit was redundant).  Since you can buy EV certs off-the-shelf from underground
web sites, or get them directly yourself if you want to put in the effort, it
obviously doesn't work that way in practice.

In any case though that's just a distraction: Since phishing has been on the
increase year after year, the existence of EV certs is entirely irrelevant.
There's a great Dave Barry joke [0] where he explains how to threaten someone
with dynamite: You call them up, hold the burning dynamite fuse up to the
handset and say "You hear that? That's dynamite baby!".

EV certs are the same thing.  "You see that? That's an EV cert baby!".  It's
as effective a threat to phishing as Dave Barry's dynamite threat.

Peter.

[0] This joke has been credited to a number of sources, including Dave Barry.
It sounds like a Dave Barry to me.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Leo Grove via dev-security-policy
> 
> See also the screenshot I posted earlier.  That was from a black-market web
> site selling EV certificates to anyone with the stolen credit cards to pay for
> them.  These are legit EV certs issued to legit companies, available off the
> shelf for criminals to use.  For a little extra payment you can get ones with
> high SmartShield scores so your malware is instantly trusted by the victim's
> PC.
> 

Peter,

Are you referring to EV Code Signing certificates? I agree that needs to be 
addressed in another forum, but this discussion in on EV SSL/TLS and their 
value (or lack thereof) in the browser UI. Browsers do not support EV Code 
Signing in the UI as far as I know. 

It's been documented that EV Code Signing certificates are on the black market. 
Did you see the same thing for EV SSL/TLS? 

Leo

> >The burden is not on the web browsers to prove that EV is detrimental to
> >security - the burden is on third parties to prove that EV is beneficial.
> 
> Yup, as per my previous post.  We've got a vast amounts of data on this, if
> there was a benefit to users then it shouldn't be hard to show that from the
> data.
> 
> Peter.

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread tegeran--- via dev-security-policy
On Thursday, August 15, 2019 at 10:59:32 AM UTC-7, Doug Beattie wrote:
> Yes, I work for a CA that issues EV certificates, but if there was no value 
> in them, then our customers would certainly not be paying extra for them.  
> Shouldn’t the large enterprises that see a value in identity (as does 
> GlobalSign) drive the need for ending EV certificates?  With Google and 
> Mozilla being prominent Lets Encrypt sponsors we know their intent is to 
> drive business to them vs. any of the commercially respectable CAs.  It’s 
> actually counter productive to security to sponsor a CA that issues so many 
> certificates to phishing and malware sites without any consequences.  Is this 
> to increase the value of their malware site detection services?  Maybe..
> 
> * https://www.usenix.org/system/files/soups2019-drury.pdf
> * 
> https://cabforum.org/wp-content/uploads/23.-Update-on-London-Protocol.pdf 
> 
>  
> 
> Baffled…


I'm baffled that anyone who has worked for a corporation could, in good faith, 
wonder how executives could be hoodwinked by "security" people telling them 
they need EV certificates, and then going to their low-level tech grunts and 
demanding implementation regardless of value. I have been involved in multiple 
such discussions, and it's always the same.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


RE: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Zu via dev-security-policy
Good afternoon all,

I would like to chime in with my two cents, if allowed:

1. Users do not notice the absence of a positive indicator. There is ample 
evidence, academic and otherwise. If users did notice the absence of a positive 
indicator, it follows that phishing without an EV certificate would be 
non-existent, as users would be noticing the lack of EV. Seeing the success of 
phishing indicates that users do not check for the absence of the indicator.

2. Further, if users did notice the lack of positive indicators, you can bet 
that phisher's would do everything in their power to display the positive 
indicator. They don't, because... it doesn't matter. Even if we assumed that 
displaying the positive indicator did matter:

3. Obtaining an EV certificate is as easy as spending ~$100 to incorporate and 
waiting a day or two, or visiting an underground marketplace. It's not exactly 
breaking into Fort Knox.

Following these points to the logical conclusion, I cannot see why anyone 
(other than those with a financial interest in the sale of EV certificates) 
would be arguing against this UI change.

Cheers,


Sent with ProtonMail Secure Email.

‐‐‐ Original Message ‐‐‐
On Friday, 16 August 2019 13:37, Doug Beattie via dev-security-policy 
 wrote:

> From: Ben laurieb...@google.com
> Sent: Friday, August 16, 2019 9:33 AM
> To: Doug Beattie doug.beat...@globalsign.com
> Cc: Jonathan Rudenberg jonat...@titanous.com; Peter Gutmann
> pgut...@cs.auckland.ac.nz; mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out of
> the URL bar
>
> On Fri, 16 Aug 2019 at 14:31, Doug Beattie via dev-security-policy
>  mailto:dev-security-policy@lists.mozilla.org > wrote:
>
> DB: Yes, that's true. I was saying that phishing sites don't use EV, not
> that EV sites don't get phished
>
> Surely this shows that EV is not needed to make phishing work, not that EV
> reduces phishing?
>
> [DB] It should show that users are safer when visiting an EV secured site.
>
>
> --
>
> I am hiring! Formal methods, UX, SWE ... verified s/w and h/w.
> #VerifyAllTheThings.
>
> https://g.co/u58vjr https://g.co/adjusu
>
> (Google internal)
>
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy


___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


RE: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Doug Beattie via dev-security-policy




From: Ben Laurie 
Sent: Friday, August 16, 2019 9:33 AM
To: Doug Beattie 
Cc: Jonathan Rudenberg ; Peter Gutmann 
; mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out of 
the URL bar



On Fri, 16 Aug 2019 at 14:31, Doug Beattie via dev-security-policy 
mailto:dev-security-policy@lists.mozilla.org> > wrote:

DB: Yes, that's true.  I was saying that phishing sites don't use EV, not
that EV sites don't get phished

Surely this shows that EV is not needed to make phishing work, not that EV 
reduces phishing?



[DB] It should show that users are safer when visiting an EV secured site.



-- 

I am hiring! Formal methods, UX, SWE ... verified s/w and h/w. 
#VerifyAllTheThings.



https://g.co/u58vjr https://g.co/adjusu

(Google internal)



smime.p7s
Description: S/MIME cryptographic signature
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Ben Laurie via dev-security-policy
On Fri, 16 Aug 2019 at 14:31, Doug Beattie via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> DB: Yes, that's true.  I was saying that phishing sites don't use EV, not
> that EV sites don't get phished

Surely this shows that EV is not needed to make phishing work, not that EV
reduces phishing?



-- 
I am hiring! Formal methods, UX, SWE ... verified s/w and h/w.
#VerifyAllTheThings.

https://g.co/u58vjr https://g.co/adjusu
*(Google internal)*
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


RE: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Doug Beattie via dev-security-policy
 

 

From: Jonathan Rudenberg  
Sent: Friday, August 16, 2019 9:04 AM
To: Doug Beattie ; Peter Gutmann
; mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out
of the URL bar

 

On Fri, Aug 16, 2019, at 07:56, Doug Beattie via dev-security-policy wrote:

Peter,

 

I'm not claiming that EV reduces phishing globally, just for those sites

that use them.  Do you have a chart that breaks down phishing attacks by SSL

certificate type? 

 

Here is some research that indicates EV sites have a reduced phishing

percentage, so customers accessing EV protected sites are safer:

   https://cabforum.org/wp-content/uploads/23.-Update-on-London-Protocol.pdf

 

Doug,

 

Can you point me to the specific research you're referring to? All I see in
this presentation that's remotely relevant is a breakdown of the certificate
types used on detected phishing sites across a couple months. If this data
is correct, it doesn't seem to be useful information, and actually proves
one of the points that is behind the removal of EV UI.

 

DB: The presentation identifies that people don't set up phishing sites
using EV certificates, and yes, this data only over the last 11 months or
so.

 

If EV is required for a successful phishing attack, then attackers will just
get EV certificates. But all of the research that has been repeatedly
brought up in this thread shows that users don't use the EV UI when making
decisions about whether to trust a website, explaining why phishing sites
don't use EV very much.

 

DB: One of the reasons that phishers don't get EV certificates is because
the vetting process requires several interactions and corporate repositories
which end up revealing more about their identity.  This leaves a trail back
to the individual that set up the fake site which discourages the use of EV.
DV is completely anonymous and leaves very few traces.

 

Additionally, the idea that sites that use EV experience less phishing seems
deeply flawed. Banks are a huge target for phishing, and most of their
websites have EV certificates.

 

DB: Yes, that's true.  I was saying that phishing sites don't use EV, not
that EV sites don't get phished.

 

An interesting and clear recent example of this is PayPal, which is
obviously a very popular target for phishing. paypal.com technically has an
EV certificate, but due to the certificate chain used since early 2018, the
EV UI does not show up in the most popular browser (Chrome) on the most
popular desktop operating system (Windows)[1]. Given the amount of phishing
that PayPal experiences, it seems likely to me that they would have figured
out how to fix this if they thought it was worth the effort. They haven't.

 

DB: Maybe they should get an EV certificate and help train the users to look
for that on their login page to reduce the chances that their customers are
phished?

 

Jonathan

 

[1]
https://www.troyhunt.com/paypals-beautiful-demonstration-of-extended-validat
ion-fud/



smime.p7s
Description: S/MIME cryptographic signature
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Jonathan Rudenberg via dev-security-policy
On Fri, Aug 16, 2019, at 07:56, Doug Beattie via dev-security-policy wrote:
> Peter,
> 
> I'm not claiming that EV reduces phishing globally, just for those sites
> that use them. Do you have a chart that breaks down phishing attacks by SSL
> certificate type? 
> 
> Here is some research that indicates EV sites have a reduced phishing
> percentage, so customers accessing EV protected sites are safer:
> https://cabforum.org/wp-content/uploads/23.-Update-on-London-Protocol.pdf

Doug,

Can you point me to the specific research you're referring to? All I see in 
this presentation that's remotely relevant is a breakdown of the certificate 
types used on detected phishing sites across a couple months. If this data is 
correct, it doesn't seem to be useful information, and actually proves one of 
the points that is behind the removal of EV UI.

If EV is required for a successful phishing attack, then attackers will just 
get EV certificates. But all of the research that has been repeatedly brought 
up in this thread shows that users don't use the EV UI when making decisions 
about whether to trust a website, explaining why phishing sites don't use EV 
very much.

Additionally, the idea that sites that use EV experience less phishing seems 
deeply flawed. Banks are a huge target for phishing, and most of their websites 
have EV certificates.

An interesting and clear recent example of this is PayPal, which is obviously a 
very popular target for phishing. paypal.com technically has an EV certificate, 
but due to the certificate chain used since early 2018, the EV UI does not show 
up in the most popular browser (Chrome) on the most popular desktop operating 
system (Windows)[1]. Given the amount of phishing that PayPal experiences, it 
seems likely to me that they would have figured out how to fix this if they 
thought it was worth the effort. They haven't.

Jonathan

[1] 
https://www.troyhunt.com/paypals-beautiful-demonstration-of-extended-validation-fud/
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


RE: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Doug Beattie via dev-security-policy
Peter,

I'm not claiming that EV reduces phishing globally, just for those sites
that use them.  Do you have a chart that breaks down phishing attacks by SSL
certificate type? 

Here is some research that indicates EV sites have a reduced phishing
percentage, so customers accessing EV protected sites are safer:
   https://cabforum.org/wp-content/uploads/23.-Update-on-London-Protocol.pdf


-Original Message-
From: Peter Gutmann  
Sent: Thursday, August 15, 2019 10:03 PM
To: Doug Beattie ;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out
of the URL bar

Doug Beattie  writes:

>Do you have any empirical data to backup the claims that there is no 
>benefit from EV certificates?

Uhhh... I don't even know where to start.  We have over ten years of data
and research publications on this, and the lack of benefit was explicitly
cited by Google and Mozilla as the reason for removing the EV bling... one
example is the most obvious statistic, maintained by the Anti-Phishing
Working Group (APWG), which show an essentially flat trend for phishing over
the period of a year in which EV certificates were phased in, indicating
that they had no effect whatsoever on phishing.  There's endless other stats
showing that the trend towards security is negative, i.e. it's getting worse
every year, here's some five-year stats from a quick google:

https://www.thesslstore.com/blog/wp-content/uploads/2019/05/Phishing-by-Year
.png

If EV certs had any effect at all on security we'd have seen a decrease in
phishing/increase in security.

There is one significant benefit from EV certificates, which I've already
pointed out, which is to the CAs selling them.  So when I say "there's no
benefit" I mean "there's no benefit to end users", which is who the
certificates are putatively helping.

Peter.


smime.p7s
Description: S/MIME cryptographic signature
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Peter Gutmann via dev-security-policy
Eric Mill  writes:

>CAs should be careful about casually and dramatically overestimating the
>roadblocks that EV certificates present to attackers.

See also the screenshot I posted earlier.  That was from a black-market web
site selling EV certificates to anyone with the stolen credit cards to pay for
them.  These are legit EV certs issued to legit companies, available off the
shelf for criminals to use.  For a little extra payment you can get ones with
high SmartShield scores so your malware is instantly trusted by the victim's
PC.

>The burden is not on the web browsers to prove that EV is detrimental to
>security - the burden is on third parties to prove that EV is beneficial.

Yup, as per my previous post.  We've got a vast amounts of data on this, if
there was a benefit to users then it shouldn't be hard to show that from the
data.

Peter.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


RE: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Robin.Lin
I think that the Phishing eventscount should focus on number of phishing events 
per organization.
If the phishing event count was decreased after an organization start to use EV 
certificate, the EV certificate should have some effect to reduce the phishing 
event.

Thanks,
Robin Lin

> -Original Message-
> From: dev-security-policy  On
> Behalf Of Peter Gutmann via dev-security-policy
> Sent: Friday, August 16, 2019 10:03 AM
> To: Doug Beattie ;
> mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out of 
> the
> URL bar
> 
> Doug Beattie  writes:
> 
> >Do you have any empirical data to backup the claims that there is no
> >benefit from EV certificates?
> 
> Uhhh... I don't even know where to start.  We have over ten years of data and
> research publications on this, and the lack of benefit was explicitly cited 
> by Google
> and Mozilla as the reason for removing the EV bling... one example is the most
> obvious statistic, maintained by the Anti-Phishing Working Group (APWG), which
> show an essentially flat trend for phishing over the period of a year in 
> which EV
> certificates were phased in, indicating that they had no effect whatsoever on
> phishing.  There's endless other stats showing that the trend towards 
> security is
> negative, i.e. it's getting worse every year, here's some five-year stats 
> from a quick
> google:
> 
> https://www.thesslstore.com/blog/wp-content/uploads/2019/05/Phishing-by-Year.
> png
> 
> If EV certs had any effect at all on security we'd have seen a decrease in
> phishing/increase in security.
> 
> There is one significant benefit from EV certificates, which I've already 
> pointed out,
> which is to the CAs selling them.  So when I say "there's no benefit" I mean
> "there's no benefit to end users", which is who the certificates are 
> putatively
> helping.
> 
> Peter.
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Peter Gutmann via dev-security-policy
Doug Beattie  writes:

>So far I see is a number of contrived test cases picking apart small
>components of EV, and no real data to back it up.

See the phishing stats from any source you care to use.  I've already
mentioned the APWG which I consider the premier source, and also linked to the
SSL Store blog which happened to be the first Google hit, but feel free to
take any source of stats you trust, and see if you can find any that show that
phishing decreased and/or security increased due to EV certs.

I could also reverse this and say: You claim that EV certs are useful. Produce
some stats showing this.  We could agree on using the APWG as our source,
since they're a pretty authoritative.

In either case, we've got a good, decade-long, reliable, heavily-analysed data
source, it's up to the two sides to use it to support their case.  I've
already made mine.

>Yes, I work for a CA that issues EV certificates, but if there was no value
>in them, then our customers would certainly not be paying extra for them.

Must remember that one for the quotes file :-).

In case you're wondering why I find it amusing, consider this variant:

  Yes, I work for Monster Cable, but if there was no value in our cables then
  our customers would certainly not be paying extra for them.

Peter.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Peter Gutmann via dev-security-policy
Doug Beattie  writes:

>Do you have any empirical data to backup the claims that there is no benefit
>from EV certificates?

Uhhh... I don't even know where to start.  We have over ten years of data and
research publications on this, and the lack of benefit was explicitly cited by
Google and Mozilla as the reason for removing the EV bling... one example is
the most obvious statistic, maintained by the Anti-Phishing Working Group
(APWG), which show an essentially flat trend for phishing over the period of a
year in which EV certificates were phased in, indicating that they had no
effect whatsoever on phishing.  There's endless other stats showing that the
trend towards security is negative, i.e. it's getting worse every year, here's
some five-year stats from a quick google:

https://www.thesslstore.com/blog/wp-content/uploads/2019/05/Phishing-by-Year.png

If EV certs had any effect at all on security we'd have seen a decrease in
phishing/increase in security.

There is one significant benefit from EV certificates, which I've already
pointed out, which is to the CAs selling them.  So when I say "there's no
benefit" I mean "there's no benefit to end users", which is who the
certificates are putatively helping.

Peter.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Eric Mill via dev-security-policy
I'm told my previous message to this thread was flagged as spam for some of
the recipients. But it did get posted to the Google Group, so for those who
didn't get my previous reply, here it is:

https://groups.google.com/d/msg/mozilla.dev.security.policy/iVCahTyZ7aw/tO3k5ua0AQAJ

On Thu, Aug 15, 2019 at 1:59 PM Doug Beattie via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> So far I see is a number of contrived test cases picking apart small
> components of EV, and no real data to back it up.  Mostly academic or
> irrelevant research, imho.  Here are a couple of links posted in this
> thread:
>
>
>
> https://www.typewritten.net/writer/ev-phishing/: This post is intended
> for a technical audience interested in how an EV SSL certificate can be
> used as an effective phishing device  security concern>
>
>
>
> https://stripe.ian.sh/: EV certificates with colliding entity names can
> be generated, but to date, I don’t know of any real attacks, just this
> academic exercise. And how much did it cost and how long did it Ian to get
> certificates to perform this experiment?  Way more time and money that a
> phisher would invest.
>
>
>
>
> https://chromium.googlesource.com/chromium/src/+/HEAD/docs/security/ev-to-page-info.md
> references a number of studies. But none of them indicated that EV was bad
> or misleading or was a detriment to security, and a number of the
> references weren’t even related to EV (including irrelevant research links
> to bolster their claims to the uninformed)
>
>
>
> I haven’t been counting the number of pro and cons emails, but there are a
> significant number of organizations questioning the changes by Google and
> Mozilla.  Mozilla and Google should reconsider their proposed changes.
>
>
>
> Yes, I work for a CA that issues EV certificates, but if there was no
> value in them, then our customers would certainly not be paying extra for
> them.  Shouldn’t the large enterprises that see a value in identity (as
> does GlobalSign) drive the need for ending EV certificates?  With Google
> and Mozilla being prominent Lets Encrypt sponsors we know their intent is
> to drive business to them vs. any of the commercially respectable CAs.
> It’s actually counter productive to security to sponsor a CA that issues so
> many certificates to phishing and malware sites without any consequences.
> Is this to increase the value of their malware site detection services?
> Maybe..
>
> *   https://www.usenix.org/system/files/soups2019-drury.pdf
> *
> https://cabforum.org/wp-content/uploads/23.-Update-on-London-Protocol.pdf
>
>
>
> Baffled…
>
>
>
>
>
>
>
> From: Tom Ritter 
> Sent: Thursday, August 15, 2019 1:13 PM
> To: Doug Beattie 
> Cc: Peter Gutmann ; MozPol <
> mozilla-dev-security-pol...@lists.mozilla.org>
> Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out
> of the URL bar
>
>
>
>
>
> On Thu, Aug 15, 2019, 7:46 AM Doug Beattie via dev-security-policy <
> dev-security-policy@lists.mozilla.org  dev-security-policy@lists.mozilla.org> > wrote:
>
> Peter,
>
> Do you have any empirical data to backup the claims that there is no
> benefit
> from EV certificates?  From the reports I've seen, the percentage of
> phishing and malware sites that use EV is drastically lower than DV (which
> are used to protect the cesspool of websites).
>
>
>
> I don't doubt that at all. However see the first email in this thread
> citing research showing that users don't notice the difference.
>
>
>
>
>
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>


-- 
Eric Mill
617-314-0966 | konklone.com | @konklone <https://twitter.com/konklone>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Ian Carroll via dev-security-policy
On Thursday, August 15, 2019 at 10:59:32 AM UTC-7, Doug Beattie wrote:
> So far I see is a number of contrived test cases picking apart small 
> components of EV, and no real data to back it up.  Mostly academic or 
> irrelevant research, imho.  Here are a couple of links posted in this thread:
> 
>  
> 
> https://www.typewritten.net/writer/ev-phishing/: This post is intended for a 
> technical audience interested in how an EV SSL certificate can be used as an 
> effective phishing device  concern>
> 
>  
> 
> https://stripe.ian.sh/: EV certificates with colliding entity names can be 
> generated, but to date, I don’t know of any real attacks, just this academic 
> exercise. And how much did it cost and how long did it Ian to get 
> certificates to perform this experiment?  Way more time and money that a 
> phisher would invest. 

To be clear, I obtained this certificate during lunch while I was in high 
school, but I'm sure you read the post explaining the cost/time already. I hope 
we can agree our bar for security is higher than "a kid who got bored".

> 
>  
> 
> https://chromium.googlesource.com/chromium/src/+/HEAD/docs/security/ev-to-page-info.md
>  references a number of studies. But none of them indicated that EV was bad 
> or misleading or was a detriment to security, and a number of the references 
> weren’t even related to EV (including irrelevant research links to bolster 
> their claims to the uninformed)
> 
>  
> 
> I haven’t been counting the number of pro and cons emails, but there are a 
> significant number of organizations questioning the changes by Google and 
> Mozilla.  Mozilla and Google should reconsider their proposed changes.
> 
>  
> 
> Yes, I work for a CA that issues EV certificates, but if there was no value 
> in them, then our customers would certainly not be paying extra for them.  
> Shouldn’t the large enterprises that see a value in identity (as does 
> GlobalSign) drive the need for ending EV certificates?  With Google and 
> Mozilla being prominent Lets Encrypt sponsors we know their intent is to 
> drive business to them vs. any of the commercially respectable CAs.  It’s 
> actually counter productive to security to sponsor a CA that issues so many 
> certificates to phishing and malware sites without any consequences.  Is this 
> to increase the value of their malware site detection services?  Maybe..

It is not worth it to respond to this bizarre theory. Sponsors of Let's Encrypt 
obviously have nothing to gain from more people using it; it's not like they 
pay dividends! You can slander them all you want, but it's not going to make 
anyone respect your opinion in the future.

> 
> * https://www.usenix.org/system/files/soups2019-drury.pdf
> * 
> https://cabforum.org/wp-content/uploads/23.-Update-on-London-Protocol.pdf 
> 
>  
> 
> Baffled…
> 
>  
> 
>  
> 
>  
> 
> From: Tom Ritter  
> Sent: Thursday, August 15, 2019 1:13 PM
> To: Doug Beattie 
> Cc: Peter Gutmann ; MozPol 
> 
> Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out of 
> the URL bar
> 
>  
> 
>  
> 
> On Thu, Aug 15, 2019, 7:46 AM Doug Beattie via dev-security-policy 
>  <mailto:dev-security-policy@lists.mozilla.org> > wrote:
> 
> Peter,
> 
> Do you have any empirical data to backup the claims that there is no benefit
> from EV certificates?  From the reports I've seen, the percentage of
> phishing and malware sites that use EV is drastically lower than DV (which
> are used to protect the cesspool of websites).
> 
>  
> 
> I don't doubt that at all. However see the first email in this thread citing 
> research showing that users don't notice the difference.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Eric Rescorla via dev-security-policy
On Thu, Aug 15, 2019 at 2:46 PM Doug Beattie via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> Peter,
>
> Do you have any empirical data to backup the claims that there is no
> benefit
> from EV certificates?  From the reports I've seen, the percentage of
> phishing and malware sites that use EV is drastically lower than DV (which
> are used to protect the cesspool of websites).
>

I expect this is true, but it seems to me that if anything it is an
argument that EV doesn't provide security value, not the other way around:
DV certificates are much cheaper to obtain than EV, and so naturally if you
just need a certificate you're going to get DV. OTOH, if users actually
trusted EV more, it might be worthwhile for an attacker to get EV anyway.

-Ekr

Doug
>
>
>
> -Original Message-
> From: dev-security-policy 
> On
> Behalf Of Peter Gutmann via dev-security-policy
> Sent: Wednesday, August 14, 2019 9:04 PM
> To: mozilla-dev-security-pol...@lists.mozilla.org; Jakob Bohm
> 
> Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out
> of the URL bar
>
> Jakob Bohm via dev-security-policy 
> writes:
>
> >Problem example:
> >[...]
>
> You're explaining how it's supposed to work in theory, not in the real
> world.
>
> We have a decade of real-world data showing that it doesn't work, that
> there's no benefit from EV certificates apart from the one to CA's balance
> sheets.  So the browser vendors are doing the logical thing, responding to
> the real-world data and no longer pretending that EV certs add any security
> value, both in terms of protecting users and of keeping out the bad guys -
> see the attached screen clip, in this case for EV code-signing certs for
> malware, but you can buy web site EV certs just as readily.
>
> Peter.
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread James Burton via dev-security-policy
My understanding of the days before EV was that the CAs themselves made up
the validation requirements for DV and because of this there was an uneven
validation requirements across the industry. EV was the first document
created to solve this and standardise validation requirements for a
certificate type. Moving forward the baseline requirements has standardise
validation requirements for the DV certificate type and therefore EV is no
allowed needed.

Regarding the phishing aspect of EV, users have no clue what EV is and they
are more interested in looking for the padlock and completing the
checkout process.

On Thu, Aug 15, 2019 at 8:16 PM Ronald Crane via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> On 8/15/2019 10:58 AM, Doug Beattie via dev-security-policy wrote:
> > So far I see is a number of contrived test cases picking apart small
> components of EV, and no real data to back it up.
> I also would like to see more evidence of problems. However, I have to
> object to the idea that
> > Mostly academic...research, imho...
> is of little value. This treads dangerously close to nihilism.
> > https://stripe.ian.sh/: EV certificates with colliding entity names can
> be generated, but to date, I don’t know of any real attacks, just this
> academic exercise. And how much did it cost and how long did it Ian to get
> certificates to perform this experiment?  Way more time and money that a
> phisher would invest.
> I question that a phisher, who stands potentially to gain hundreds of
> thousands or millions of dollars by phishing, e.g., the customers of a
> major bank, would not, as this paper says, invest "48 hours from
> incorporation to the issuance of the certificate" and "$177". This is a
> trivial investment for a non-frivolous financial phisher, let alone,
> say, a foreign government interested in phishing, say, a
> voter-registration (or -- shudder! -- an e-voting) site.
> > Yes, I work for a CA that issues EV certificates, but if there was no
> value in them, then our customers would certainly not be paying extra for
> them.
> That your customers may perceive additional value in them doesn't mean
> that they provide additional value to the general internet user. That
> said, I lean toward Mozilla letting this debate settle out before hiding
> EV support in release Firefox.
>
> -R
>
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Ronald Crane via dev-security-policy

On 8/15/2019 10:58 AM, Doug Beattie via dev-security-policy wrote:

So far I see is a number of contrived test cases picking apart small components 
of EV, and no real data to back it up.
I also would like to see more evidence of problems. However, I have to 
object to the idea that

Mostly academic...research, imho...

is of little value. This treads dangerously close to nihilism.

https://stripe.ian.sh/: EV certificates with colliding entity names can be 
generated, but to date, I don’t know of any real attacks, just this academic 
exercise. And how much did it cost and how long did it Ian to get certificates 
to perform this experiment?  Way more time and money that a phisher would 
invest.
I question that a phisher, who stands potentially to gain hundreds of 
thousands or millions of dollars by phishing, e.g., the customers of a 
major bank, would not, as this paper says, invest "48 hours from 
incorporation to the issuance of the certificate" and "$177". This is a 
trivial investment for a non-frivolous financial phisher, let alone, 
say, a foreign government interested in phishing, say, a 
voter-registration (or -- shudder! -- an e-voting) site.

Yes, I work for a CA that issues EV certificates, but if there was no value in 
them, then our customers would certainly not be paying extra for them.
That your customers may perceive additional value in them doesn't mean 
that they provide additional value to the general internet user. That 
said, I lean toward Mozilla letting this debate settle out before hiding 
EV support in release Firefox.


-R

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Eric Mill via dev-security-policy
rotate user passwords. After years of empirical research demonstrating the
opposite, NIST finally updated its guidance to make clear that this is
detrimental to user security, and so now enterprises are (grudgingly, in
many cases) starting to remove password rotation requirements.

Someone could have argued to NIST during their password guidance update
that "if periodic password rotation had no security value, all of these
organizations wouldn't be doing it", but that would have been an
exceptionally weak argument that, if it were taken seriously, would have
only hindered a valuable effort to improve organizational and personal
security.



> Shouldn’t the large enterprises that see a value in identity (as does
> GlobalSign) drive the need for ending EV certificates?


The only population any of us -- including large enterprises -- should be
looking to serve are end users. If the evidence suggests that end users are
not being benefited by EV certificates, there's not a strong argument to
keep it (regardless of how plausible you think the potential use in
phishing attacks is). Enterprises don't have a right to force web browsers
to maintain a channel to display a name in a particular place because they
like how it makes them feel to see it there.



> With Google and Mozilla being prominent Lets Encrypt sponsors we know
> their intent is to drive business to them vs. any of the commercially
> respectable CAs.  It’s actually counter productive to security to sponsor a
> CA that issues so many certificates to phishing and malware sites without
> any consequences.


Let's Encrypt is a non-profit, and a huge part of what Let's Encrypt,
Google, and Mozilla have all contributed to spreading is the underlying
standard automation protocol behind it (ACME), as well as the open source
CA behind it (Boulder). Because Let's Encrypt and its sponsors have created
ACME, it is now easier than ever for CAs to compete with Let's Encrypt, and
for customers of Let's Encrypt to avoid vendor lock-in. I am personally
aware of commercial CAs that have adopted ACME for issuance. I'm also aware
of US government agencies -- some very large enterprises -- that are
creating ACME-based, Boulder-based CAs and will benefit in the long run
from the ease of migrating away from Let's Encrypt to their own
independently operated PKI.

This is all to say that it's inaccurate and unconstructive to point to
Let's Encrypt sponsorship as evidence of nefarious or self-interested
intent, and certainly not as damaging to large enterprises. The work
undertaken by these organizations has resulted in more freedom for large
enterprise customers, healthier competition among certificate authorities,
and more security for end users across the internet.


> Is this to increase the value of their malware site detection services?
> Maybe..
>

For the record, I'm not even aware of a malware detection service that
Mozilla operates. I believe they rely on Google Safe Browsing, even for
their particularly privacy-conscious Firefox Focus app. [1]

[1] https://support.mozilla.org/en-US/kb/safe-browsing-firefox-focus


>
> *   https://www.usenix.org/system/files/soups2019-drury.pdf
> *
> https://cabforum.org/wp-content/uploads/23.-Update-on-London-Protocol.pdf
>
>
>
> Baffled…
>
>
>
>
>
>
>
> From: Tom Ritter 
> Sent: Thursday, August 15, 2019 1:13 PM
> To: Doug Beattie 
> Cc: Peter Gutmann ; MozPol <
> mozilla-dev-security-pol...@lists.mozilla.org>
> Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out
> of the URL bar
>
>
>
>
>
> On Thu, Aug 15, 2019, 7:46 AM Doug Beattie via dev-security-policy <
> dev-security-policy@lists.mozilla.org  dev-security-policy@lists.mozilla.org> > wrote:
>
> Peter,
>
> Do you have any empirical data to backup the claims that there is no
> benefit
> from EV certificates?  From the reports I've seen, the percentage of
> phishing and malware sites that use EV is drastically lower than DV (which
> are used to protect the cesspool of websites).
>
>
>
> I don't doubt that at all. However see the first email in this thread
> citing research showing that users don't notice the difference.
>
>
>
>
>
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>


-- 
Eric Mill
617-314-0966 | konklone.com | @konklone <https://twitter.com/konklone>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Tom Ritter via dev-security-policy
On Thu, Aug 15, 2019, 7:46 AM Doug Beattie via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> Peter,
>
> Do you have any empirical data to backup the claims that there is no
> benefit
> from EV certificates?  From the reports I've seen, the percentage of
> phishing and malware sites that use EV is drastically lower than DV (which
> are used to protect the cesspool of websites).
>

I don't doubt that at all. However see the first email in this thread
citing research showing that users don't notice the difference.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


RE: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Doug Beattie via dev-security-policy
Peter,

Do you have any empirical data to backup the claims that there is no benefit
from EV certificates?  From the reports I've seen, the percentage of
phishing and malware sites that use EV is drastically lower than DV (which
are used to protect the cesspool of websites).

Doug



-Original Message-
From: dev-security-policy  On
Behalf Of Peter Gutmann via dev-security-policy
Sent: Wednesday, August 14, 2019 9:04 PM
To: mozilla-dev-security-pol...@lists.mozilla.org; Jakob Bohm

Subject: Re: Fwd: Intent to Ship: Move Extended Validation Information out
of the URL bar

Jakob Bohm via dev-security-policy 
writes:

>Problem example:
>[...]

You're explaining how it's supposed to work in theory, not in the real
world.

We have a decade of real-world data showing that it doesn't work, that
there's no benefit from EV certificates apart from the one to CA's balance
sheets.  So the browser vendors are doing the logical thing, responding to
the real-world data and no longer pretending that EV certs add any security
value, both in terms of protecting users and of keeping out the bad guys -
see the attached screen clip, in this case for EV code-signing certs for
malware, but you can buy web site EV certs just as readily.

Peter.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


smime.p7s
Description: S/MIME cryptographic signature
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: [FORGED] Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-14 Thread Peter Gutmann via dev-security-policy
Peter Bowen via dev-security-policy  
writes:

>I have to admit that I'm a little confused by this whole discussion.  While
>I've been involved with PKI for a while, I've never been clear on the
>problem(s) that need to be solved that drove the browser UIs and creation of
>EV certificates.

Oh, that's easy:

  A few years ago certificates still cost several hundred dollars, but now
  that the shifting baseline of certificate prices and quality has moved to
  the point where you can get them for $9.95 (or even for nothing at all) the
  big commercial CAs have had to reinvent themselves by defining a new
  standard and convincing the market to go back to the prices paid in the good
  old days.

  This déjà-vu-all-over-again approach can be seen by examining Verisign’s
  certificate practice statement (CPS), the document that governs its
  certificate issuance.  The security requirements in the EV-certificate 2008
  CPS are (except for minor differences in the legalese used to express them)
  practically identical to the requirements for Class 3 certificates listed in
  Verisign’s version 1.0 CPS from 1996 [ ].  EV certificates simply roll back
  the clock to the approach that had already failed the first time it was
  tried in 1996, resetting the shifting baseline and charging 1996 prices as a
  side-effect.  There have even been proposals for a kind of sliding-window
  approach to certificate value in which, as the inevitable race to the bottom
  cheapens the effective value of established classes of certificates, they’re
  regarded as less and less effective by the software that uses them (for
  example browsers would no longer display a padlock for them), and the
  sliding window advances to the next generation of certificates until
  eventually the cycle repeats.

That was written about a decade ago.  As recent events have shown, it was
remarkably accurate.  The sliding window has just slid.

Peter.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-14 Thread Peter Bowen via dev-security-policy
On Wed, Aug 14, 2019 at 10:16 AM Jakob Bohm wrote:

> On 14/08/2019 18:18, Peter Bowen wrote:
> > On thing I've found really useful in working on user experience is to
> > discuss things using problem & solution statements that show the before
> and
> > after.  For example, "It used to take 10 minutes for the fire sprinklers
> to
> > activate after sensing excessive heat in our building.  With the new
> > sprinkler heads we installed they will activate within 15 seconds of
> > detecting heat above 200ºC, which will enable fire suppression long
> before
> > it spreads."
> >
>
> It used to be easy for fraudsters to get an OV certificate with untrue
> company information from smaller CAs.  By only displaying company
> information for more strictly checked EV certificates, it now becomes
> much more difficult for fraudsters to pretend to be someone else, making
> fewer users fall for such scams.
>
> Displaying an overly truncated form of the company information, combined
> with genuine high-trust companies (banks, credit card companies) often
> using obscure subsidiary names instead of their user trusted company
> names for their EV certs has greatly reduced this benefit.
>
> > If we assume for a minute that Firefox had no certificate information
> > anywhere in the UI (no subject info, no issuer info, no way to view
> chains,
> > etc), what user experience problem would you be solving by adding
> > information about certificates to the UI?
>
> This hasn't been the case since before Mozilla was founded.
>
> But lets assume we started from there, the benefit would be to tell
> users when they were dealing with the company they know from the
> physical world versus someone almost quite unlike them.
>
> Making this visible with as few (maybe 0) extra user actions increases
> the likelihood that users will spot the problem when there is one.
>

What is the problem being solved?  You specify the benefit but I'm still
not clear why this info is needed in the first place.

Thanks,
Peter
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-14 Thread Ryan Sleevi via dev-security-policy
On Wed, Aug 14, 2019 at 1:16 PM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> EV was originally an initiative to make the CAs properly vet OV
> certificates, and to mark those CAs that had done a proper job.
> EV issuing CAs were permitted to still sell the sloppily validated
> OV certs to compete against the CAs that hadn't yet cleaned up their
> act.
>
> This was before the BRs took effect, meaning that the bar for issuing OV
> certs was very low.


> To heavihandidly pressure the bad CAs to get in line, Firefox
> simultaneously started to display exaggerated and untruthful warnings
> for OV certificates, essentially telling users they were merely DV
> certificates.
>
> So the intended long term benefit would be that less reliable CAs would
> exit the market, making the certificate information displayed more
> reliable for users.
>

This does not seem to be supported by the statements by Opera, Mozilla, the
KDE Foundation, and Microsoft at the time, so unfortunately, I must point
out that you are either mistaken or being dishonest, or both.

https://web.archive.org/web/20060316082248/http://www.opera.com/security/toronto/
https://dot.kde.org/2005/11/22/web-browser-developers-work-together-security
http://hecker.org/mozilla/ssl-ui
https://blogs.msdn.microsoft.com/ie/2005/11/21/better-website-identification-and-extended-validation-certificates-in-ie7-and-other-browsers/

Perhaps you'd like to correct the misstatements, having been pointed to
contemporaneous statements from people actually there and involved in the
decisions, which I can hope you were simply unaware of?
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-14 Thread Jakob Bohm via dev-security-policy

On 14/08/2019 18:18, Peter Bowen wrote:

On Tue, Aug 13, 2019 at 4:24 AM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:


A policy of switching from positive to negative indicators of security
differences is no justification to switch to NO indication.  And it
certainly doesn't help user understanding of any indicator to
arbitrarily change it with 3 days of no meaningful discussion.

The only thing that was insecure with Firefox EV has been that the
original EV indicator only displayed the O= and C= field without enough
context (ST, L).  The change fixes nothing, but instead removes the direct
indication of
the validation strength (low-effort DV vs. EV) AND removes the one piece
of essential context that was previously there (country).

If something should be done, it would be to merge the requirements for
EV and OV with an appropriate transition period to cause the distinction
to disappear (so at least 2 years from new issuance policy).  UI
indication should continue to distinguish between properly validated OV
and the mere "enable encryption with no real checks" DV certificates.



I have to admit that I'm a little confused by this whole discussion.  While
I've been involved with PKI for a while, I've never been clear on the
problem(s) that need to be solved that drove the browser UIs and creation
of EV certificates.


EV was originally an initiative to make the CAs properly vet OV
certificates, and to mark those CAs that had done a proper job.
EV issuing CAs were permitted to still sell the sloppily validated
OV certs to compete against the CAs that hadn't yet cleaned up their
act.

This was before the BRs took effect, meaning that the bar for issuing OV
certs was very low.

To heavihandidly pressure the bad CAs to get in line, Firefox 
simultaneously started to display exaggerated and untruthful warnings 
for OV certificates, essentially telling users they were merely DV 
certificates.


So the intended long term benefit would be that less reliable CAs would
exit the market, making the certificate information displayed more
reliable for users.

The intended short term benefit would be to prevent users from believing
unvalidated certificate information from CAs that didn't check things 
properly.


As BRs and audits for OV certs have been ramped up, the difference 
between OV and EV has become less significant, while the difference 
between DV and OV has massively increased.


Thus blurring the line between OV and EV could now be justified, but 
blurring the line between DV and EV can not.






On thing I've found really useful in working on user experience is to
discuss things using problem & solution statements that show the before and
after.  For example, "It used to take 10 minutes for the fire sprinklers to
activate after sensing excessive heat in our building.  With the new
sprinkler heads we installed they will activate within 15 seconds of
detecting heat above 200ºC, which will enable fire suppression long before
it spreads."



It used to be easy for fraudsters to get an OV certificate with untrue 
company information from smaller CAs.  By only displaying company 
information for more strictly checked EV certificates, it now becomes 
much more difficult for fraudsters to pretend to be someone else, making 
fewer users fall for such scams.


Displaying an overly truncated form of the company information, combined 
with genuine high-trust companies (banks, credit card companies) often 
using obscure subsidiary names instead of their user trusted company 
names for their EV certs has greatly reduced this benefit.





If we assume for a minute that Firefox had no certificate information
anywhere in the UI (no subject info, no issuer info, no way to view chains,
etc), what user experience problem would you be solving by adding
information about certificates to the UI?


This hasn't been the case since before Mozilla was founded.

But lets assume we started from there, the benefit would be to tell
users when they were dealing with the company they know from the
physical world versus someone almost quite unlike them.

Making this visible with as few (maybe 0) extra user actions increases
the likelihood that users will spot the problem when there is one.



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-14 Thread Peter Bowen via dev-security-policy
On Tue, Aug 13, 2019 at 4:24 AM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> A policy of switching from positive to negative indicators of security
> differences is no justification to switch to NO indication.  And it
> certainly doesn't help user understanding of any indicator to
> arbitrarily change it with 3 days of no meaningful discussion.
>
> The only thing that was insecure with Firefox EV has been that the
> original EV indicator only displayed the O= and C= field without enough
> context (ST, L).  The change fixes nothing, but instead removes the direct
> indication of
> the validation strength (low-effort DV vs. EV) AND removes the one piece
> of essential context that was previously there (country).
>
> If something should be done, it would be to merge the requirements for
> EV and OV with an appropriate transition period to cause the distinction
> to disappear (so at least 2 years from new issuance policy).  UI
> indication should continue to distinguish between properly validated OV
> and the mere "enable encryption with no real checks" DV certificates.
>

I have to admit that I'm a little confused by this whole discussion.  While
I've been involved with PKI for a while, I've never been clear on the
problem(s) that need to be solved that drove the browser UIs and creation
of EV certificates.

On thing I've found really useful in working on user experience is to
discuss things using problem & solution statements that show the before and
after.  For example, "It used to take 10 minutes for the fire sprinklers to
activate after sensing excessive heat in our building.  With the new
sprinkler heads we installed they will activate within 15 seconds of
detecting heat above 200ºC, which will enable fire suppression long before
it spreads."

If we assume for a minute that Firefox had no certificate information
anywhere in the UI (no subject info, no issuer info, no way to view chains,
etc), what user experience problem would you be solving by adding
information about certificates to the UI?

Thanks,
Peter

(speaking only for myself, not my employer)
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-13 Thread Peter Gutmann via dev-security-policy
Daniel Marschall via dev-security-policy 
 writes:

>I share the opinion with Jakob, except with the CVE. Please remove this
>change. It is unnecessary and kills the EV market.

And that was my motivation for the previous question: We know from a decade of
data that EV certs haven't made any difference to security.  The only thing
they've affected is CA's bottom line, since they can now go back to charging
1990s prices for EV certs rather than $9.95 for non-EV certs.  Removing the UI
bling for the more expensive certs makes sense from a security point of view,
but not from a business point of view: "it kills the [very lucrative] EV
market".

It'd be interesting to hear what CAs think of this.  Will the next step be EEV
certs and a restart of the whole cycle, as was predicted when EV certs first
came out?

Peter.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-13 Thread Daniel Marschall via dev-security-policy
I share the opinion with Jakob, except with the CVE. Please remove this change. 
It is unnecessary and kills the EV market.
But if you insist on keeping that UI change, maybe you can at least give the 
lock symbol a different color if it is an EV cert?
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-13 Thread Jakob Bohm via dev-security-policy

DO NOT SHIP THIS.  Revert the change immediately and request a CVE
number for the nightlies with this change included.

That Chrome does something harmful is not surprising, and is no
justification for a supposedly independent browser to do the same.

A policy of switching from positive to negative indicators of security
differences is no justification to switch to NO indication.  And it
certainly doesn't help user understanding of any indicator to
arbitrarily change it with 3 days of no meaningful discussion.

The only thing that was insecure with Firefox EV has been that the
original EV indicator only displayed the O= and C= field without enough
context (ST, L).  This was used to create tons of uninformed debate
in order to later present that noise as "extensive discusison [SIC] in
the security community about the usefulness of EV certificates".

The change fixes nothing, but instead removes the direct indication of
the validation strength (low-effort DV vs. EV) AND removes the one piece
of essential context that was previously there (country).

If something should be done, it would be to merge the requirements for
EV and OV with an appropriate transition period to cause the distinction
to disappear (so at least 2 years from new issuance policy).  UI
indication should continue to distinguish between properly validated OV
and the mere "enable encryption with no real checks" DV certificates.

On 12/08/2019 20:30, Wayne Thayer wrote:

Mozilla has announced that we plan to relocate the EV UI in Firefox 70,
which is expected to be released on 22-October. Details below.

If the before and after images are stripped from the email, you can view
them here:

Before:
https://lh4.googleusercontent.com/pSX4OAbkPCu2mhBfeleKKe842DgW28-xAIlRjhtBlwFdTzNhtNE7R43nqBS1xifTuB0L8LO979yhpPpLUIOtDdfJd3UwBmdxFBl7eyX_JihYi7FqP-2LQ5xw4FFvQk2bEObdKQ9F

After:
https://lh5.googleusercontent.com/kL-WUskmTnKh4vepfU3cSID_ooTXNo9BvBOmIGR1RPvAN7PGkuPFLsSMdN0VOqsVb3sAjTsszn_3LjRf4Q8eoHtkrNWWmmxOo3jBRoEJV--XJndcXiCeTTAmE4MuEfGy8RdY_h5u

- Wayne

-- Forwarded message -
From: Johann Hofmann 
Date: Mon, Aug 12, 2019 at 1:05 AM
Subject: Intent to Ship: Move Extended Validation Information out of the
URL bar
To: Firefox Dev 
Cc: dev-platform , Wayne Thayer <
wtha...@mozilla.com>


In desktop Firefox 70, we intend to remove Extended Validation (EV)
indicators from the identity block (the left hand side of the URL bar which
is used to display security / privacy information). We will add additional
EV information to the identity panel instead, effectively reducing the
exposure of EV information to users while keeping it easily accessible.

Before:


After:


The effectiveness of EV has been called into question numerous times over
the last few years, there are serious doubts whether users notice the
absence of positive security indicators and proof of concepts have been pitting
EV against domains  for
phishing.

More recently, it has been shown  that EV
certificates with colliding entity names can be generated by choosing a
different jurisdiction. 18 months have passed since then and no changes
that address this problem have been identified.

The Chrome team recently removed EV indicators from the URL bar in Canary
and announced their intent to ship this change in Chrome 77
.
Safari is also no longer showing the EV entity name instead of the domain
name in their URL bar, distinguishing EV only by the green color. Edge is
also no longer showing the EV entity name in their URL bar.



On our side a pref for this
(security.identityblock.show_extended_validation) was added in bug 1572389
 (thanks :evilpie for
working on it!). We're planning to flip this pref to false in bug 1572936
.

Please let us know if you have any questions or concerns,

Wayne & Johann




Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy