I don’t see how you can argue that the EV “seatbelt” breaks 100% of the time. I know my bank uses an EV cert. Any time I come across a site claiming to be my bank but lacking an EV cert, and my browser shows me that distinction, is a time when the seatbelt saves me, through that extra signal that alerts me that something isn’t right. If that goes away, there is unequivocally going to be a non-zero number of people who will be phished who would not have been phished with the UI present.
If the only choices are to remove the UI or not, then the question to resolve, I’d think, is: are more people being phished today because the UI is there, relative to the number who would be phished in a tomorrow where it is not? Only then would it make sense to remove it. Of course there are a lot of variables to unpack to figure that out, but it’s not the black and white decision you paint here; removing it WILL be hostile to some number of users. On 12/15/17, 4:08 PM, "dev-security-policy on behalf of Ryan Sleevi via dev-security-policy" <dev-security-policy-bounces+tshirley=trustwave....@lists.mozilla.org on behalf of dev-security-policy@lists.mozilla.org> wrote: > >Some might define user-hostile as, for example, a reduction of >functionality without suitable replacement in sight. > Except it's not a reduction of functionality, no more than removing a seatbelt that breaks 100% of the time in car accidents is removing a safety feature. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy