Right, but both Ian and James' research show that it's an unreliable guarantee for those attacks - you may be relying on it, but it's not safe for it.
Further, the costs to support your use case - well-intentioned but perhaps not aligning with the pragmatic reality - affect users who don't do so or aren't conditioned, by adding further confusion into the nuances of jurisdictional incorporation. So if it doesn't meet your intended use case / you're relying on a placebo, and it harms others, perhaps the UI treatment should go away :) Note, my focus in all of this discussion has been about the expression of UI surface in the security-critical section of a browser, and specifically, asked for Mozillans to comment on their plans (which, of course, had everyone but them commenting). There may still be value in EV-as-a-validation, but EV as a phishing mitigation - your scam emails or such - are not solved by EV. Technically or via validation. On Wed, Dec 13, 2017 at 1:52 PM, Tim Shirley <tshir...@trustwave.com> wrote: > I don’t dispute your claims if the attacker is ‘on the wire’; what I > dispute is that that is actually the case most of the time. I’d think a > far more common case is one in which I receive an email, purportedly from > my bank, but containing a URL that isn’t the one I recognize as my bank’s. > Usually that’s a scam, but sometimes it’s a legit separate domain they have > for the credit card rewards program or something like that. Or a case > where I am typing a known URL and I fat-finger something and stumble onto a > scammer’s site. The immediate absence of the EV organization name is going > to help me detect that I’m not where I want to be. > > > > BTW, I looked at these things long before I was in the CA business, so if > I was “conditioned” it must have been by the outside world. ☺ > > > > *From: *Ryan Sleevi <r...@sleevi.com> > *Reply-To: *"r...@sleevi.com" <r...@sleevi.com> > *Date: *Wednesday, December 13, 2017 at 1:18 PM > *To: *Tim Shirley <tshir...@trustwave.com> > *Cc: *Nick Lamb <n...@tlrmx.org>, "dev-security-policy@lists.mozilla.org" < > dev-security-policy@lists.mozilla.org>, Jakob Bohm <jb-mozi...@wisemo.com> > *Subject: *Re: On the value of EV > > > > > > > > On Wed, Dec 13, 2017 at 12:58 PM, Tim Shirley via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > As an employee of a CA, I’m sure many here will dismiss my point of view > as self-serving. But when I am making trust decisions on the internet, I > absolutely rely on both the URL and the organization information in the > “green bar”. I relied on it before I worked for a CA, and I’m pretty sure > I’ll still rely on it after I no longer work in this industry (if such a > thing is even possible, as some in the industry have assured me it’s not). > > > > I think the focus on the edge cases has been because even the case you > raise here (and below), can be demonstrated as technically flawed. > > > > You believe you're approaching a sense of security, but under an > adversarial model, it falls apart. > > > > The historic focus has been on the technical adversary - see Nick Lamb's > recently reply a few minutes before yours - and that's been thoroughly > shown that EV is insufficient under an attacker model that is 'on the > wire'. However, EV proponents have still argued for EV, by suggesting that > even if its insufficient for network adversaries, it's sufficient for > organizational adversaries. Ian's and James' research shows that's also > misguided. > > > > So you're not wrong that, as a technically skilled user, and as an > employee of a CA, you've come to a conclusion that EV has value, and > conditioned yourself to look for that value being expressed. But under both > adversarial models relative to the value EV provides, EV does not address > them. So what does the UI provide, then, if it cannot provide either > technical enforcement or "mental-model" safety. > > > > Are you wrong for wanting those things? No, absolutely not. They're > perfectly reasonable to want. But both the technical means of expressing > that (the certificate) and the way to display that to the user (the UI > bar), neither of these hold up to rigor. They serve as placebo rather than > panacea, as tiger repelling rocks rather than real protections. > > > > Since improving it as a technical means is an effective non-starter (e.g. > introducing a new origin for only EV certs), the only fallback is to the > cognitive means - and while users such as yourself may know the > jurisdictional details for all the sites they interact with, and may have a > compelling desire for such information, that doesn't necessarily mean it > should be exposed to millions of users. Firefox has about:config, for > example - as well as extensions - and both of those could provide > alternative avenues with much greater simplicity for the common user. > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
