| I think we've finally reached the essence of this debate: if there is a chance a security feature will fail, should we abandon that security feature? When it comes to EV certs and the UI treatments thereof, it seems that Ryan and others at Google, others in this forum, and perhaps the authors of the reports he originally cited are advocating an answer of, Yes: forget about EV, it is possible to spoof therefore nobody is safe. There is certainly a seductive purity and ruthless simplicity to such an argument. The counter-argument being made is, No: there is some value to these measures and they should remain. There is value in a human readable, positive affirmation that I am where I want to be even if there's a possibility I'm being tricked. Viewed in the context of a layered approach to security, the UI signals are one more layer and if this one layer should falter, the others might help prevent a bad outcome. I would add 2 points: First, we should acknowledge the possibility for users to do all the right things and still end up with a bad result. Sometimes the bad guys are smarter than the good guys. This is especially the case when malware infects a system and that malware is able to assert every positive security indicator while doing its dirty work behind the scenes. Second, the actual value in EV as far as I can see is in having that human readable name in addition to the domain name. A successful plan of attack will need convincing names for both, which does raise the bar on an attacker. If EV and the UI treatments were to go away, it would simplify the task for some attackers and that seems undesirable.
If the signal can be spoofed, it does not actually help keep you safe.
| ||
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
