On Wed, Dec 13, 2017 at 6:29 AM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
Yes. This is the foundation and limit of Web Security.
https://en.wikipedia.org/wiki/Same-origin_policy
This is what is programatically enforced. Anything else either requires
new
technology to technically enforce it (such as a new scheme), or is
offloading the liability to the user.
What is *programmatically* enforced is too little for human safety.
believing that computers can replace human judgement is a big mistake.
Most of the world knows this.
That is a misguided and inaccurate rephrasing.
However, it still shows that you are fundamentally taking the view point
that:
1) Users should be responsible and bear the liability (straight up user
hostile)
2) This information is as critical as the one piece of truly guarantees
information, the URL (it isn’t)
3) It is a usable solution to require the visual determination as to
whether a given piece of information is present - that is, a positive
indicator (where both general studies AND browser specific studies show
this doesn’t work)
You aren’t adding to this, you’re simply phrasing your view that this
information is valuable. You haven’t responded to these points as to the
user experience, or the research, but instead theorize about how it should
be, or power users, or user education, all while ignoring the substance of
these realities.
You need to understand that not every trust begins and ends with a
Google search for a URL.
You need to understand that EV specifically states it is not for this
purpose. As already provided to you from the EVGs.
Sometimes people buy cheaper items online and just need to know that
their credit card transaction is not visible to a random company (hence
the common practice of outsourcing the entry of card details to a
reputable clearing service that promises not to hand the credit card
number back to the seller).
EV does not provide this. This is just a basic understand of the technology.
Sometimes people make bigger purchases and
need the assurance that there is a real company at the other end, which
can (if necessary) be sued for non-delivery.
EV EXPLICITLY does not provide this. Read the EVGs.
Sometimes people make
really big transactions and need to know that they are dealing with a
real world entity that they have a real world trust relationship with.
EV EXPLICITLY does not provide this. Read the EVGs.
I have been copying the example name from message to message, with noone
objecting. Saving up this mistake for use as ammunition when you run
out of arguments is not a nice way to argue.
Getting upset doesn’t undermine the fact that you’ve continued to make
mistakes that have already been addressed in both the original research and
past replies to you. The discussion has not been moved forward by the
points you’ve raised, because they’ve already been shown to be logically or
factually flawed and unsupported. I do hope that you will revisit these and
see how the points you’ve raised - even in this very message - are already
disputed by the research, design, and technology.
The remainder of your argument basically boils down to "But Banks already
are offloading the liability to users when they say check for the green
bar" (and that is bad, user hostile, and unsustainable), and the "Look
for
the corporate identity" has been shown repeatedly to be insufficient and
incomplete that if that is the response you'd offer, then it's not
introducing new information into the conversation.
No, I was using the awareness campaigns by banks as an example of how
users can be, and have been, trained to use the EV UI even if they don't
fully understand it. It was a counterexample to your use of misleading
statistics about how few users understand the nuances of EV
certificates.
It is hardly a counter-example. It continues to be unsupported by data, by
the extant user studies contradicting your conclusions and belief - that
they are effective and users understand - and themselves still rely on the
fundamentally flawed approach of shifting the liability to the user to make
sense of the legal identity.
You have yet to respond to the substance of this basic model about users -
continuing to insist that somehow it’s reasonable to expect billions of
users to be aware of an interface that shows the jurisdictional nuance in a
critical UI point. It’s hnclear whether or not you even acknowledge the
current flaws - I would hope, given your earlier proposal to display the
full jurisdictional information, that you can at least acknowledge that EV
as it presently exists is insufficient UI and insufficient validation for
the status afforded it. At best, your view seems to be to double down on
promoting a user-hostile, unrealistic workflow, by adding even more
information (ignoring the research and basic cognitive challenges I pointed
out to you), restricting the access even further (ignoring the inherent
limitations of that, as demonstrated by WIPO), and then expecting users to
understand this even more nuanced approach of limitations.
None of this has changed from when we first started discussing, and you
haven’t meaningfully engaged on these basics, other than providing your
opinion - which, while valuable, doesn’t dispute or disprove those issues
above.
I am saying that your view of what the EV system achieves and has
already achieved is completely biased and flawed.
Cool. Well, since you won’t engage in the substance - where I provided the
supporting facts and basic positions for the conclusions, and walked you
through how they are arrived at - and are willing to hold the line on this
opinion despite it being unsubstantiated by the facts, then we’re done.
You’re not engaging with anything more than opinions and stories about how
it ought to be, so I haven’t learned anything new from you that wasn’t
already discounted or disproved. You’re either not willing to read the
research - or even the original issues - or not convinced by the years of
academic research showing your conclusions aren’t supported, so theres no
point trying to convince you of these facts.
The lack of engagement on, or discussion of, origins perhaps best
illustrates how fundamentally ineffective this conversation has been -
because that is the starting point, in any conversation, yet it is
continually deflected or ignored.
