On Fri, Dec 15, 2017 at 2:34 AM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On 15/12/2017 02:30, Ryan Sleevi wrote: > > Some participants have pointed out correlation is not causation - that > you > > can’t infer that never being attacked by a tiger while you’re holding a > > particular rock means that the rock repels tigers, anymore than EV UI > > prevents phishing. > > > > YOU in particularly have kept insisting that it is a "myth" that > phishing sites don't use EV certificates, yet keep pointing to articles > about non-EV failures. I’m sorry that you’re having difficulty understanding the points, but I can assure you that is not what I am insisting and is not what I have pointed out. The belief that EV prevents phishing - or even that EV is not used for phishing - rests on logically flawed arguments and thus is a logically flawed conclusion. Those same flaws can be used to provide equally compelling, yet just as logically flawed, alternatives. You haven’t responded to or acknowledged that substance, and from your reply, I suspect you haven’t done the suggested reading to understand the inherent flaws in your argument, and why the evidence itself would not support drawing the conclusion you are drawing. In either event, my goal in this discussion is not to convince you. The stubborness and animus present are more than effective to prevent that happening. It is not a product decision that gets made with 100% consensus of random people on a mailing list, but by Mozillans responsible for doing the right thing by users. I do want to consider your view, though, and as best possible ensure that you feel it has been considered - and so I’ve tried to listen, to show you the flaws in your argument, reasoning, and understanding, but consistently responding to the substance of your position when you’ve expressed one. James’ research has showed the ease at which it is possible to use the UI afforded EV to mislead users - fundamentally, a form of phishing, exploiting the misunderstanding about what EV is it guarantees. Ian’s research has shown that the UI afforded is fundamentally insufficient, which, while long known, now has a direct case to point to. The mismatch between what EV is - for every single certificate that exists up until now - and what the UI expresses means that it’s insufficient, for every single existing certificate out there, to show UI. The arguments in favor of UI have ranged from “power users” who do check the details (despite that being ineffective, due to inherent techinal limitations) to the view that it is somehow “more safe” (despite being logically unsound and empirically false). Arguments to show UI have continued to implicitly assume it is both reasonable and appropriate to ask users to understand the nuance and limitations, while still shifting the liability and responsibility to them. The statement “It is only safe if you inspect every certificate in every request to ensure it matches the legal identity of the party you expect and that the CA has not been mislead using fully valid methods” quickly morphs under these logically flawed reductions to “It is safe if” to “It is safe” and even the far more damningly flawed “It is more safe”, all unsupported by fact and reality. There have been proposals to improve the validation - yet ignoring the extant certificates suffer from being under today’s regime, and thus insufficient, or that EV’s flaws are not solely limited to validation. There have proposals to leave the UI in place, for those who take comfort in relying upon it for something that they shouldn’t, but would be upset if they couldn’t. There have been, as there has been since the introduction of EV, proposals for “user education” - ignoring that it is inherently shifting the liability and expectation to users, asking them to do absolutely unreasonable things with an incredibly nuanced understanding, without any chance of it actually being correct and paying off, if they want to be “safe” online. Perhaps there is a new argument, logically sound, to be made on the value of EV and of the EV UI. Certainly, there are use cases for it, independent of and without requiring any UI - see https://docs.google.com/document/d/e/2PACX-1vThdwFAKzEMlHzHZAN4o050CM3P2LNqPcwJUsqfOFVqs6LktwwFdARPzVp81KDN72ih1IZMTHR3tklk/pub for an example - but again, that doesn’t require or relate to UI. There are arguments for other forms of UI, but those ignore the relative cost/benefit tradeoff of forms of positive UI expressions (showing good vs showing warnings). We’ve danced in circles around “what harm does it cause” - where folks who don’t have to deal with the fallout of the EV UI have either minimalized or disputed the first and second order harm it causes the ecosystem, albeit often unintentionally. The logically flawed arguments, or the nuance of the solutions, entirely lost to or against the interests of those who would promote or mandate EV. The ecosystem harm from the necessary requirements of EV (such as manual confirmation), or to the patterns and practices it encourages of both site operators and CAs, have mostly been ignored in the arguments in favor of EV. We’ve seen the usual argument that certificates should somehow relate to the content of the domain, despite that not being technically realistic, nor in the best interests of users, site operators, or quite honestly, CAs. And we’ve seen continous repetition of logically flawed and unsound positions - statements that aren’t supported against the backdrop of reality, yet serve as emotional appeals against conclusions using arguments that can just as effectively argue the opposite result. As I said, my goal isn’t to convince you. If you aren’t convinced by the extensive amount of information already present in this thread, or by the many ways in which your conclusions are flawed, then I’m not sure anything could. If you have something new to share, I’m all ears and willing to listen. But my original question was not to you, and still remains: “given the ability to provide accurate-but-misleading information in EV certificates, and the effect it has on the URL bar (the lone trusted space for security information), has any consideration been given to removing or deprecating EV certificates?” _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy