Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-09-04 Thread Matt Palmer via dev-security-policy
On Wed, Sep 04, 2019 at 03:50:40PM +0200, Kurt Roeckx via dev-security-policy wrote: > On 2019-09-04 14:14, Matt Palmer wrote: > > If EV information is of use in anti-phishing efforts, then it would be best > > for the providers of anti-phishing services to team up with CAs to describe > > the

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-09-04 Thread Kurt Roeckx via dev-security-policy
On 2019-09-04 14:14, Matt Palmer wrote: If EV information is of use in anti-phishing efforts, then it would be best for the providers of anti-phishing services to team up with CAs to describe the advantages of continuing to provide an EV certificate. If site owners, who are presumably smart

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-09-04 Thread Matt Palmer via dev-security-policy
On Tue, Sep 03, 2019 at 06:16:23PM -0700, Kirk Hall via dev-security-policy wrote: > However, I did receive authority to post the following statement from > someone who works for a major browser phishing filter (but without > disclosing the person's name or company). Here is the authorized >

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-09-03 Thread Kirk Hall via dev-security-policy
Last week I posted reasons why Mozilla shouldn’t remove the EV UI from Firefox. In addition to the discussion on how the EV UI can inform users when a website does or does not have confirmed identity before they choose to type in their password or credit card number (after a little user

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-09-02 Thread Josef Schneider via dev-security-policy
Am Sonntag, 1. September 2019 04:27:04 UTC+2 schrieb Peter Gutmann: > Since the value to criminals of EV web certs is low, it seems they're not > doing much to stop what the criminals are doing. If they did have any value > then criminals would be prepared to pay more for them, like they already

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-31 Thread Peter Gutmann via dev-security-policy
Kirk Hall via dev-security-policy writes: >does GSB use any EV certificate identity data in its phishing algorithms. Another way to think about this this is to look at it from the criminals' perspective: What's the value to criminals? To use a silly example, the value to criminals of an

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-30 Thread Nick Lamb via dev-security-policy
On Fri, 30 Aug 2019 12:02:42 -0500 Matthew Hardeman via dev-security-policy wrote: > What's not discussed in that mechanism is how Google decides what > pages are unsafe and when? Yes, but the point was to show what shape Safe Browsing API is, I guess I'd assumed this makes it obvious that EV

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-30 Thread James Burton via dev-security-policy
Kirk, I know you are really passionate about extended validation and it does come across in your correspondences on this forum and the CAB Forum but sometimes our passion or frustration leads us to divulge private information which shouldn't have been released into the public domain. Before you

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-30 Thread Kirk Hall via dev-security-policy
On Friday, August 30, 2019 at 11:38:55 AM UTC-7, Peter Bowen wrote: > On Fri, Aug 30, 2019 at 10:22 AM Kirk Hall via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > I'll just reiterate my point and then drop the subject. EV certificate > > subject information is used

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-30 Thread Ryan Sleevi via dev-security-policy
On Fri, Aug 30, 2019 at 12:06 PM Kirk Hall via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > This is super easy, and doesn't even require you to do any work, like > contacting Google Safe Browsing and asking them to participate in this > conversation. > > Here's the

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-30 Thread Peter Bowen via dev-security-policy
On Fri, Aug 30, 2019 at 10:22 AM Kirk Hall via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I'll just reiterate my point and then drop the subject. EV certificate > subject information is used by anti-phishing services and browser phishing > filters, and it would be a

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-30 Thread Kirk Hall via dev-security-policy
> OK, I'll try one last time to see if you are willing to share Google > information that you have with this group on the question at hand (Do browser > phishing filters and anti-virus apps use EV data in their anti-phishing > algorithms). > > This is super easy, and doesn't even require

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-30 Thread Matthew Hardeman via dev-security-policy
On Fri, Aug 30, 2019 at 11:56 AM Nick Lamb via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > For readers unfamiliar, let me briefly explain what Safe Browsing gives > browsers: > > For every URL you're considering displaying you calculate a whole bunch > of cryptographic

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-30 Thread Nick Lamb via dev-security-policy
On Thu, 29 Aug 2019 18:44:11 -0700 (PDT) Kirk Hall via dev-security-policy wrote: > OK, I'll try one last time to see if you are willing to share Google > information that you have with this group on the question at hand (Do > browser phishing filters and anti-virus apps use EV data in their >

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-30 Thread Matthew Hardeman via dev-security-policy
> > I’m not saying that this is the case, but merely to say that the > Yes/No/IDK does not represent the full set of feasible responses. > So let's add "I decline to make inquiries, official or otherwise" and "Policy prevents me from discussing that" to the list. It would be interesting to get

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-30 Thread Neil Dunbar via dev-security-policy
> On 30 Aug 2019, at 02:44, Kirk Hall via dev-security-policy > > wrote: > > OK, I'll try one last time to see if you are willing to share Google > information that you have with this group on the question at hand (Do browser > phishing filters

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-30 Thread Kirk Hall via dev-security-policy
On Thursday, August 29, 2019 at 6:15:44 PM UTC-7, Ryan Sleevi wrote: > On Thu, Aug 29, 2019 at 8:54 PM Kirk Hall via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > What the heck does it mean when sometimes you say you are posting "in a > > personal capacity" and

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-30 Thread Leo Grove via dev-security-policy
On Thursday, August 29, 2019 at 5:26:55 PM UTC-5, Kirk Hall wrote: > On Thursday, August 29, 2019 at 3:10:49 PM UTC-7, Ryan Sleevi wrote: > > On Thu, Aug 29, 2019 at 5:18 PM Kirk Hall via dev-security-policy < > > dev-security-policy@lists.mozilla.org> wrote: > > > > > > > > Don't argue with me,

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Matt Palmer via dev-security-policy
On Thu, Aug 29, 2019 at 02:14:10PM -0700, Kirk Hall via dev-security-policy wrote: > For EV certificates, the appeal for website owners over the past 10 years > has been that they get a distinctive EV UI that they believe protects > their consumers and their brands (again, don't argue with me but

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Ryan Sleevi via dev-security-policy
On Thu, Aug 29, 2019 at 8:54 PM Kirk Hall via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > What the heck does it mean when sometimes you say you are posting "in a > personal capacity" and sometimes you don't? It sounds like you were very prescient in your inability to

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Kirk Hall via dev-security-policy
On Thursday, August 29, 2019 at 5:28:29 PM UTC-7, Ryan Sleevi wrote: > On Thu, Aug 29, 2019 at 8:23 PM Kirk Hall via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > On Thursday, August 29, 2019 at 5:07:03 PM UTC-7, Ryan Sleevi wrote: > > > On Thu, Aug 29, 2019 at 6:26

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Ryan Sleevi via dev-security-policy
On Thu, Aug 29, 2019 at 8:23 PM Kirk Hall via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Thursday, August 29, 2019 at 5:07:03 PM UTC-7, Ryan Sleevi wrote: > > On Thu, Aug 29, 2019 at 6:26 PM Kirk Hall via dev-security-policy < > >

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Kirk Hall via dev-security-policy
On Thursday, August 29, 2019 at 5:07:03 PM UTC-7, Ryan Sleevi wrote: > On Thu, Aug 29, 2019 at 6:26 PM Kirk Hall via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > > Could you point to the browsing phishing filters and anti-phishing > > services > > > that do? It

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Ryan Sleevi via dev-security-policy
On Thu, Aug 29, 2019 at 6:26 PM Kirk Hall via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > Could you point to the browsing phishing filters and anti-phishing > services > > that do? It might be an opportunity for you to find out how they deal > with > > this, and report

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Josef Schneider via dev-security-policy
Am Donnerstag, 29. August 2019 10:59:40 UTC+2 schrieb Nick Lamb: > On Wed, 28 Aug 2019 11:51:37 -0700 (PDT) > Josef Schneider via dev-security-policy > wrote: > > > Not legally probably and this also depends on the jurisdiction. Since > > an EV cert shows the jurisdiction, a user can draw

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Kirk Hall via dev-security-policy
On Thursday, August 29, 2019 at 3:10:49 PM UTC-7, Ryan Sleevi wrote: > On Thu, Aug 29, 2019 at 5:18 PM Kirk Hall via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > > In this case, the use of EV certificates, and the presumption of > > > reputation, would lead to

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Ryan Sleevi via dev-security-policy
On Thu, Aug 29, 2019 at 5:18 PM Kirk Hall via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > In this case, the use of EV certificates, and the presumption of > > reputation, would lead to actively worse security. > > > > Did I misunderstand the scenario? > > Don't argue

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Kirk Hall via dev-security-policy
On Thursday, August 29, 2019 at 12:17:22 PM UTC-7, Ryan Sleevi wrote: > On Thu, Aug 29, 2019 at 2:49 PM Kirk Hall via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > Sure, I’m happy to explain, using Bank of America as an example. > > > Kirk, > > Thanks for

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Lee via dev-security-policy
On 8/29/19, Nick Lamb wrote: > On Thu, 29 Aug 2019 13:33:26 -0400 > Lee via dev-security-policy > wrote: > >> That it isn't my financial institution. Hopefully I'd have the >> presence of mind to save the fraud site cert, but I'd either find the >> business card of the person I've been dealing

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Jakob Bohm via dev-security-policy
On 29/08/2019 19:47, Nick Lamb wrote: > On Thu, 29 Aug 2019 17:05:43 +0200 > Jakob Bohm via dev-security-policy > wrote: > >> The example given a few messages above was a different jurisdiction >> than those two easily duped company registries. > > I see. Perhaps Vienna, Austria has a truly

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Ronald Crane via dev-security-policy
On 8/29/2019 11:07 AM, Nick Lamb via dev-security-policy wrote: ... If you _work_ for such an institution [e.g.,a bank], the best thing you could do to protect your customers against Phishing, a very popular attack that TLS is often expected to mitigate, is offer WebAuthn You also could

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread James Burton via dev-security-policy
These so called "extended" validation vetting checks on companies for extended validation certificates are supposed to provide the consumer on the website with an high level of assurance that the company has been properly validated but the fact is that these so called "extended" validation vetting

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Ryan Sleevi via dev-security-policy
On Thu, Aug 29, 2019 at 2:49 PM Kirk Hall via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Sure, I’m happy to explain, using Bank of America as an example. Kirk, Thanks for providing this example. Could you help me understand how it helps determine that things are

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Ian Carroll via dev-security-policy
On Thursday, August 29, 2019 at 11:49:16 AM UTC-7, Kirk Hall wrote: > On Thursday, August 29, 2019 at 11:01:27 AM UTC-7, Jonathan Rudenberg wrote: > > On Thu, Aug 29, 2019, at 13:39, Kirk Hall via dev-security-policy wrote: > > > This string is about Mozilla’s announced plan to remove the EV UI

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Kirk Hall via dev-security-policy
On Thursday, August 29, 2019 at 11:01:27 AM UTC-7, Jonathan Rudenberg wrote: > On Thu, Aug 29, 2019, at 13:39, Kirk Hall via dev-security-policy wrote: > > This string is about Mozilla’s announced plan to remove the EV UI from > > Firefox in October. Over time, this will tend to eliminate

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Nick Lamb via dev-security-policy
On Thu, 29 Aug 2019 13:33:26 -0400 Lee via dev-security-policy wrote: > That it isn't my financial institution. Hopefully I'd have the > presence of mind to save the fraud site cert, but I'd either find the > business card of the person I've been dealing with there or find an > old statement,

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Jonathan Rudenberg via dev-security-policy
On Thu, Aug 29, 2019, at 13:39, Kirk Hall via dev-security-policy wrote: > This string is about Mozilla’s announced plan to remove the EV UI from > Firefox in October. Over time, this will tend to eliminate confirmed > identity information about websites from the security ecosystem, as EV >

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Nick Lamb via dev-security-policy
On Thu, 29 Aug 2019 17:05:43 +0200 Jakob Bohm via dev-security-policy wrote: > The example given a few messages above was a different jurisdiction > than those two easily duped company registries. I see. Perhaps Vienna, Austria has a truly exemplary registry when it comes to such things. Do you

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Kirk Hall via dev-security-policy
This string is about Mozilla’s announced plan to remove the EV UI from Firefox in October. Over time, this will tend to eliminate confirmed identity information about websites from the security ecosystem, as EV website owners may decide it’s not worth using a n EV certificate if browsers

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Lee via dev-security-policy
On 8/29/19, Nick Lamb via dev-security-policy wrote: > On Wed, 28 Aug 2019 11:51:37 -0700 (PDT) > Josef Schneider via dev-security-policy > wrote: > >> Not legally probably and this also depends on the jurisdiction. Since >> an EV cert shows the jurisdiction, a user can draw conclusions from >>

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Jakob Bohm via dev-security-policy
On 29/08/2019 10:58, Nick Lamb wrote: > On Wed, 28 Aug 2019 11:51:37 -0700 (PDT) > Josef Schneider via dev-security-policy > wrote: > >> Not legally probably and this also depends on the jurisdiction. Since >> an EV cert shows the jurisdiction, a user can draw conclusions from >> that. > > Yes

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Nick Lamb via dev-security-policy
On Wed, 28 Aug 2019 11:51:37 -0700 (PDT) Josef Schneider via dev-security-policy wrote: > Not legally probably and this also depends on the jurisdiction. Since > an EV cert shows the jurisdiction, a user can draw conclusions from > that. Yes it is true that crimes are illegal. This has not

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-28 Thread Ryan Sleevi via dev-security-policy
(Posting in a personal capacity) On Wed, Aug 28, 2019 at 7:01 PM Kirk Hall via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Most of the comments against EV certificates on this list have been > focused on whether or not the current Firefox EV UI is relied on by Firefox >

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-28 Thread Kirk Hall via dev-security-policy
Most of the comments against EV certificates on this list have been focused on whether or not the current Firefox EV UI is relied on by Firefox users to make security decisions. (Actually, I have only seen a Google paper on this issue in Chrome, no research from Firefox.) But there is an

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-27 Thread Leo Grove via dev-security-policy
> > There are also opportunities for browsers here. I have to admit I > primarily use Google Chrome, rather than Firefox, so my observations may be > a little tainted, but I see various places where signals far more valuable > than the green lock could be implemented. Consider that most

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-27 Thread James Burton via dev-security-policy
Resend again to fix spelling errors and add extra details The correct way to vet a UK company would be to: 1. The CA checks Companies House to check if the company is incorporated. 2. The CA sends a letter with verification code to the company address listed on Companies House. 3. The CA requests

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-27 Thread James Burton via dev-security-policy
Companies House ( http://resources.companieshouse.gov.uk/serviceInformation.shtml#compInfo) says "We carry out basic checks on documents received to make sure that they have been fully completed and signed, but we do not have the statutory power or capability to verify the accuracy of the

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-27 Thread Jakob Bohm via dev-security-policy
On 27/08/2019 08:03, Peter Gutmann wrote: > Jakob Bohm via dev-security-policy > writes: > >> and >> both took advantage of weaknesses in two >> government registries > > They weren't "weaknesses in government

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-27 Thread Cynthia Revström via dev-security-policy
> > Because no actual proof that DV versus EV makes no difference in the > current (not ancient or anecdotal) situation has been posted. > > To me that sounds like you are suggesting that we prove that nothing happened, which is pretty much impossible. Why don't you or the CAs offering EV prove

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-27 Thread Peter Gutmann via dev-security-policy
Jakob Bohm via dev-security-policy writes: > and > both took advantage of weaknesses in two >government registries They weren't "weaknesses in government registries", they were registries working as designed, and as

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-26 Thread Jonathan Rudenberg via dev-security-policy
On Mon, Aug 26, 2019, at 20:44, Jakob Bohm via dev-security-policy wrote: > On 26/08/2019 21:49, Jonathan Rudenberg wrote: > > On Mon, Aug 26, 2019, at 15:01, Jakob Bohm via dev-security-policy wrote: > >> and > >> both

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-26 Thread Jakob Bohm via dev-security-policy
On 26/08/2019 21:49, Jonathan Rudenberg wrote: > On Mon, Aug 26, 2019, at 15:01, Jakob Bohm via dev-security-policy wrote: >> and >> both took advantage of weaknesses in two >> government registries to create actual dummy

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-26 Thread James Burton via dev-security-policy
Jakob, Before I touch on your comments, I wanted to point out that I am fairly well known in the CA industry even back then and that fact might have tainted the results sightly because I am treated some what differently to other orders as the validation staff look more carefully at the

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-26 Thread Jonathan Rudenberg via dev-security-policy
On Mon, Aug 26, 2019, at 15:01, Jakob Bohm via dev-security-policy wrote: > and > both took advantage of weaknesses in two > government registries to create actual dummy companies with misleading > names, then trying to get

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-26 Thread Jakob Bohm via dev-security-policy
On 24/08/2019 05:55, Tom Ritter wrote: On Fri, 23 Aug 2019 at 22:53, Daniel Marschall via dev-security-policy wrote: Am Freitag, 23. August 2019 00:50:35 UTC+2 schrieb Ronald Crane: On 8/22/2019 1:43 PM, kirkhalloregon--- via dev-security-policy wrote: Whatever the merits of EV (and perhaps

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-24 Thread Jernej Simončič via dev-security-policy
On Fri, 23 Aug 2019 15:53:21 -0700 (PDT), Daniel Marschall wrote: > Can you proove that your assumption "very few phishing sites use EV (only) > because DV is sufficient" is correct? I do think the truth is "very few > phishing sites use EV, because EV is hard to get". Before browsers started

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-23 Thread Tom Ritter via dev-security-policy
On Fri, 23 Aug 2019 at 22:53, Daniel Marschall via dev-security-policy wrote: > > Am Freitag, 23. August 2019 00:50:35 UTC+2 schrieb Ronald Crane: > > On 8/22/2019 1:43 PM, kirkhalloregon--- via dev-security-policy wrote: > > > > Whatever the merits of EV (and perhaps there are some -- I'm not >

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-23 Thread Peter Bowen via dev-security-policy
On Thu, Aug 22, 2019 at 1:44 PM kirkhalloregon--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Some have responded there is no research saying EV sites have > significantly less phishing (and are therefore safer) than DV sites – Tim > has listed two studies that say

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-23 Thread Ronald Crane via dev-security-policy
On 8/23/2019 3:53 PM, Daniel Marschall via dev-security-policy wrote: Am Freitag, 23. August 2019 00:50:35 UTC+2 schrieb Ronald Crane: On 8/22/2019 1:43 PM, kirkhalloregon--- via dev-security-policy wrote: Whatever the merits of EV (and perhaps there are some -- I'm not convinced either way)

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-23 Thread Daniel Marschall via dev-security-policy
Am Freitag, 23. August 2019 00:50:35 UTC+2 schrieb Ronald Crane: > On 8/22/2019 1:43 PM, kirkhalloregon--- via dev-security-policy wrote: > > Whatever the merits of EV (and perhaps there are some -- I'm not > convinced either way) this data is negligible evidence of them. A DV > cert is

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-23 Thread sslcorp.team--- via dev-security-policy
> > Correlation does not imply causation. > > There are studies that show phishing sites tend not to be EV - yes. > That's a correlation. > > If we studied phishing sites and domain name registration fees I'm > sure we'd find a correlation there too - I'd bet the .cfd TLD (which > apparently

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-23 Thread Ronald Crane via dev-security-policy
On 8/23/2019 6:41 AM, Tom Ritter via dev-security-policy wrote: On Fri, 23 Aug 2019 at 05:00, Leo Grove via dev-security-policy wrote: On Thursday, August 22, 2019 at 5:50:35 PM UTC-5, Ronald Crane wrote: On 8/22/2019 1:43 PM, kirkhalloregon--- via dev-security-policy wrote: I can tell you

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-23 Thread Tom Ritter via dev-security-policy
On Fri, 23 Aug 2019 at 05:00, Leo Grove via dev-security-policy wrote: > > On Thursday, August 22, 2019 at 5:50:35 PM UTC-5, Ronald Crane wrote: > > On 8/22/2019 1:43 PM, kirkhalloregon--- via dev-security-policy wrote: > > > I can tell you that anti-phishing services and browser phishing filters

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-22 Thread Leo Grove via dev-security-policy
On Thursday, August 22, 2019 at 5:50:35 PM UTC-5, Ronald Crane wrote: > On 8/22/2019 1:43 PM, kirkhalloregon--- via dev-security-policy wrote: > > I can tell you that anti-phishing services and browser phishing filters > > have also have concluded that EV sites are very unlikely to be phishing >

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-22 Thread Ronald Crane via dev-security-policy
On 8/22/2019 1:43 PM, kirkhalloregon--- via dev-security-policy wrote: I can tell you that anti-phishing services and browser phishing filters have also have concluded that EV sites are very unlikely to be phishing sites and so are safer for users. Whatever the merits of EV (and perhaps

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-22 Thread kirkhalloregon--- via dev-security-policy
On Monday, August 12, 2019 at 2:31:22 PM UTC-4, Wayne Thayer wrote: > Mozilla has announced that we plan to relocate the EV UI in Firefox 70, > which is expected to be released on 22-October. Details below. > > If the before and after images are stripped from the email, you can view > them here:

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-21 Thread Tadahiko Ito via dev-security-policy
(From my personal point of view) I read Google’s paper[1]. For me, that paper’s result could be hypothesized like “some people do care about some information, which is written in EV but not in DV”. That is… (A) If you click EV indicator, you will able to get more information about identity

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-17 Thread Matt Palmer via dev-security-policy
On Fri, Aug 16, 2019 at 12:42:35PM -0700, tim--- via dev-security-policy wrote: > That’s where EV certificates can help. Data shows that websites with EV > certificates have a very low incidence of phishing. [...] > This research validates the results of an earlier study of 3,494 encrypted >

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-17 Thread Matt Palmer via dev-security-policy
On Fri, Aug 16, 2019 at 03:15:39PM -0700, Daniel Marschall via dev-security-policy wrote: > (2) I am a pro EV person, and I do not have any financial benefit from EV > certificates. I do not own EV certificates, instead my own websites use > Let's Encrypt DV certificates. But when I visit

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-17 Thread Jakob Bohm via dev-security-policy
On 17/08/2019 00:56, James Burton wrote: If one compares the first EV specification with the current EV specification one will notice that the EV specification hasn't changed that much during its lifetime. The issues presented during the last years though research have been known about since the

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Peter Gutmann via dev-security-policy
Jakob Bohm via dev-security-policy writes: >Your legendary dislike for all things X.509 is showing. My dislike for persisting mindlessly with stuff we already know doesn't work is showing (see in particular the quote typically misattributed to Einstein about the definition of insanity), and

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Jakob Bohm via dev-security-policy
On 17/08/2019 03:15, Peter Gutmann wrote: Corey Bonnell via dev-security-policy writes: the effectiveness of the EV UI treatment is predicated on whether or not the user can memorize which websites always use EV certificates *and* no longer proceed with using the website if the EV treatment

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Peter Gutmann via dev-security-policy
Corey Bonnell via dev-security-policy writes: >the effectiveness of the EV UI treatment is predicated on whether or not the >user can memorize which websites always use EV certificates *and* no longer >proceed with using the website if the EV treatment isn't shown. That's a huge >cognitive

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread James Burton via dev-security-policy
If one compares the first EV specification with the current EV specification one will notice that the EV specification hasn't changed that much during its lifetime. The issues presented during the last years though research have been known about since the first adoption of the EV specification. If

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Matthew Hardeman via dev-security-policy
Honestly the issues, as I see them, are twofold: 1. When I visit a site for the first time, how do I know I should expect an EV certificate? I am conscientious about subsequent visits, especially financial industry sites. 2. The browsers seem to have a bias toward the average user, that user

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Daniel Marschall via dev-security-policy
I have a few more comments/annotations: (1) Pro EV persons argue "Criminals have problems getting an EV certificate, so most of them are using only DV certificates". Anti EV persons argue "Criminals just don't use EV certificates, because they know that end users don't look at the EV indicator

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Kurt Roeckx via dev-security-policy
On Fri, Aug 16, 2019 at 12:42:35PM -0700, tim--- via dev-security-policy wrote: > > By way of background, until recently almost all phishing and malware was on > unencrypted http sites. They received a neutral UI, and the bad guys didn’t > have to spend time and money getting a certificate,

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Paul van Brouwershaven via dev-security-policy
Thanks Tim, well written and I completely agree! In this thread Issues have been raised about that EV validation is not perfect and that criminals can obtain an EV certificate (if they reveal their identity). I also agree that the validation can be improved, but as Tim stated, that doesn't mean

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread tim--- via dev-security-policy
My apologies for not weighing in earlier, but like many others I was surprised by this announcement and had to make time to craft this message around other pressing demands. The original announcement above that the EV UI would be removed in October cited authorities and articles that were in

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Nick Lamb via dev-security-policy
On Fri, 16 Aug 2019 13:31:08 + Doug Beattie via dev-security-policy wrote: > DB: One of the reasons that phishers don't get EV certificates is > because the vetting process requires several interactions and > corporate repositories which end up revealing more about their > identity. This

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Nick Lamb via dev-security-policy
On Thu, 15 Aug 2019 22:11:37 +0200 Eric Rescorla via dev-security-policy wrote: > I expect this is true, but it seems to me that if anything it is an > argument that EV doesn't provide security value, not the other way > around: DV certificates are much cheaper to obtain than EV, and so >

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread deanjc18--- via dev-security-policy
On Thursday, August 15, 2019 at 7:30:46 AM UTC-4, Kurt Roeckx wrote: > On Wed, Aug 14, 2019 at 11:52:46PM -0700, Daniel Marschall via > dev-security-policy wrote: > > In old Firefox, I get a green bar if I visit google.com and paypal.com, > > telling me that this is a well-known company that got

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Kurt Roeckx via dev-security-policy
On Wed, Aug 14, 2019 at 11:52:46PM -0700, Daniel Marschall via dev-security-policy wrote: > In old Firefox, I get a green bar if I visit google.com and paypal.com, > telling me that this is a well-known company that got the EV certificate. > The other fake domains goog1e.com and paypa1.com only

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Daniel Marschall via dev-security-policy
Please tell me if I understand this correctly... Is it that DV and EV certificates now both show the same lock symbol? That would be a great harm in my opinion. And I do not understand why you want this change. I think EV is very important and I explain why. Let's look at following hypothetical

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-12 Thread Paul Wouters via dev-security-policy
> On Aug 12, 2019, at 14:30, Wayne Thayer via dev-security-policy > wrote: > > Mozilla has announced that we plan to relocate the EV UI in Firefox 70, > which is expected to be released on 22-October. Details below. Relocate seems a wrong word here. You are basically removing it. A few geeks