I don’t see how you can argue that the EV “seatbelt” breaks 100% of the time.  
I know my bank uses an EV cert.  Any time I come across a site claiming to be 
my bank but lacking an EV cert, and my browser shows me that distinction, is a 
time when the seatbelt saves me, through that extra signal that alerts me that 
something isn’t right.  If that goes away, there is unequivocally going to be a 
non-zero number of people who will be phished who would not have been phished 
with the UI present.

If the only choices are to remove the UI or not, then the question to resolve, 
I’d think, is: are more people being phished today because the UI is there, 
relative to the number who would be phished in a tomorrow where it is not?  
Only then would it make sense to remove it.  Of course there are a lot of 
variables to unpack to figure that out, but it’s not the black and white 
decision you paint here; removing it WILL be hostile to some number of users.

On 12/15/17, 4:08 PM, "dev-security-policy on behalf of Ryan Sleevi via 
dev-security-policy" 
<dev-security-policy-bounces+tshirley=trustwave....@lists.mozilla.org on behalf 
of dev-security-policy@lists.mozilla.org> wrote:

    >
    >Some might define user-hostile as, for example, a reduction of
    >functionality without suitable replacement in sight.
    >
    
    Except it's not a reduction of functionality, no more than removing a
    seatbelt that breaks 100% of the time in car accidents is removing a safety
    feature.

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to