On Tue, Dec 12, 2017 at 1:11 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > The overall thing is that the current thread seems to be a major case of > throwing the baby out with the bathwater. >
That is overly reductive and may demonstrate a lack of understanding of the points of criticism. > The entire problem boils down to this: > No, it doesn't. This is yet another practical demonstration of an overall set of flaws with EV, for which those bolsters (which it would be fair to say include you, at this point) do not acknowledge the holistic set of issues - or their fundamental failure. For those involved in the regular, day to day involvement with PKI, these sets of concerns are well at the forefront of our minds, but in the event you may not be familiar: The EV Guidelines establish what CAs (rightly or wrongly) believe as the purpose of EV, as noted in Section 2.1 of https://cabforum.org/wp-content/uploads/EV-V1_6_6.pdf - 2.1.1 (1) does not require special UI treatment - 2.1.1 (2) is not necessary - DV already achieves that - 2.1.2 (1) is demonstrably false - While Ian's example is yet another part of this, there's nothing fundamental within EV certificates that achieves 2.1.2 (1), because that goal is itself so ill-defined that it fundamentally is unachievable. - CAs who believe that biased marketing surveys are equivalent to peer-reviewed research would have you believe that "Out of 100 phishing sites we saw, none used EV, therefore, EV is more secure", therefore this goal is achieved. This is so scientifically unsound and methodogically flawed that it should be laughed out of serious discussion, yet they continue to peddle such abject logically unsound rubbish. They might as well shout "fake news" for all the credibility should be afforded to them. - Sticklers for this point will typically suggest this can be achieved through one of three means - "temporal risk", "financial cost", or "legal risk" - namely: - because an EV cert takes longer (temporal), it reduces risk because people don't want to wait (ignoring the fact that some CAs will turn out an EV cert in hours) - because an EV cert has, on average, a substantially higher cost (financial) than a DV cert, it serves as a bar to entry for attackers who would otherwise not want to use money (ignoring that attackers, particularly phishers, already have a network of credentials and resources to charge against) - because an EV cert requires some sort of legal identity, they're exposing themselves to risk of identification (ignoring work like James' or Ian's, because, well, that's convenient) - 2.1.2 (3) does not require any UI - that's purely on the backend So the whole premise for why there should be *any* UI treatment is predicated on 2.1.2 (2), which clearly spells out that EV is a marketing tool, wrapped in the guise of a security tool. I do not feel you can offer a more charitable read of that section. And what do we get for that browsers selling, rent-free, their critical UI space of billions of users? Well, 2.1.3 (1) - No assurances that they're doing business 2.1.3 (2) - No assurances that they comply with applicable laws 2.1.3 (3) - No assurances that they're trustworthy, honest, or reputable Literally the entire value proposition of EV reduces to "CAs want to sell billboards in the browser's security UI". And the fundamental point is that such UI is security critical - it's the line of death between trustworthy and untrustworthy content ( https://textslashplain.com/2017/01/14/the-line-of-death/ ). The goal is to ensure this URL bar requires as little cognitive thought possible - you should be able to quickly determine if you're at where you expect, where "where you expect" is the URL. And the URLs you use should use systems that do not rely on users checking that - e.g., they should be using origin bound credentials (WebAuthN/U2F), they should be using browser/password manager mediated identities (Credentials API), etc. This isn't throwing the baby out with the bathwater. This is recognizing that having a billboard of things users are also supposed to know or else we get to blame them when things go wrong is bad policy, bad security, and actively hostile to users. Let's not let idealism get in the way of the pragmatic reality that the most important job a browser has is keeping users safe and secure, the most effective way to do that is to keep things as simple as possible (so that all people, of all skillsets, can enjoy the Web), and the simplest way to security is to get users to the point of not having to think about it, because the systems Just Work. EV is predicated on the idea of training users to be cognitively aware of all of the legal nuance of the organization, and ever vigilent, as a way of absolving site operators and CAs of their responsibility to make the system better. That's just bad policy. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
