On Friday, December 15, 2017 at 8:08:44 AM UTC-6, Ryan Sleevi wrote: > James’ research has showed the ease at which it is possible to use the UI > afforded EV to mislead users - fundamentally, a form of phishing, > exploiting the misunderstanding about what EV is it guarantees. > > Ian’s research has shown that the UI afforded is fundamentally > insufficient, which, while long known, now has a direct case to point to. > The mismatch between what EV is - for every single certificate that exists > up until now - and what the UI expresses means that it’s insufficient, for > every single existing certificate out there, to show UI.
Here I would point out that these concerns would seem incongruent with your prior stated positions that no one is looking at or relying upon the EV marker. On the other hand, you also do point out correctly that there is some question of value and validity under the now-present standards. Let's be clear though: assuming those standards were promptly improved, it will be monumentally more difficult to get a UI enhancement back into product after its recent removal, right? While having a single level of assurance is simple and certainly is a level playing field, it is not a bad thing that consumers would like an externally validated marker which suggests that trust in the party controlling this website may be easier to grant: say, because, the details within the certificate clarify that a particular human being can be found responsible and called to account. When all else is unavailable, people tend to extend trust on the basis of potential mutual harm arising from bad action. If I feel confident that I can physically locate a person associated with a website, I feel far more confident allowing that website access to my credit card details in the course of normal commerce (like ordering something from a specialty web store.) Can that be abused? Yes. Is it generally? No. Does having that exposure level the imbalance from the relying user and the owner/operator of the website? At least a little. I would never want a world where this enhanced validation is mandatory. I would not want a world where those willing to trade transparency and exposure to improve their prospective customers' confidence to engage a transaction either. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy