On Monday, August 12, 2019 at 2:31:22 PM UTC-4, Wayne Thayer wrote: > Mozilla has announced that we plan to relocate the EV UI in Firefox 70, > which is expected to be released on 22-October. Details below. > > If the before and after images are stripped from the email, you can view > them here: > > Before: > https://lh4.googleusercontent.com/pSX4OAbkPCu2mhBfeleKKe842DgW28-xAIlRjhtBlwFdTzNhtNE7R43nqBS1xifTuB0L8LO979yhpPpLUIOtDdfJd3UwBmdxFBl7eyX_JihYi7FqP-2LQ5xw4FFvQk2bEObdKQ9F > > After: > https://lh5.googleusercontent.com/kL-WUskmTnKh4vepfU3cSID_ooTXNo9BvBOmIGR1RPvAN7PGkuPFLsSMdN0VOqsVb3sAjTsszn_3LjRf4Q8eoHtkrNWWmmxOo3jBRoEJV--XJndcXiCeTTAmE4MuEfGy8RdY_h5u > > - Wayne > > ---------- Forwarded message --------- > From: Johann Hofmann <jhofm...@mozilla.com> > Date: Mon, Aug 12, 2019 at 1:05 AM > Subject: Intent to Ship: Move Extended Validation Information out of the > URL bar > To: Firefox Dev <firefox-...@mozilla.org> > Cc: dev-platform <dev-platf...@lists.mozilla.org>, Wayne Thayer < > wtha...@mozilla.com> > > > In desktop Firefox 70, we intend to remove Extended Validation (EV) > indicators from the identity block (the left hand side of the URL bar which > is used to display security / privacy information). We will add additional > EV information to the identity panel instead, effectively reducing the > exposure of EV information to users while keeping it easily accessible. > > Before: > > > After: > > > The effectiveness of EV has been called into question numerous times over > the last few years, there are serious doubts whether users notice the > absence of positive security indicators and proof of concepts have been > pitting > EV against domains <https://www.typewritten.net/writer/ev-phishing/> for > phishing. > > More recently, it has been shown <https://stripe.ian.sh/> that EV > certificates with colliding entity names can be generated by choosing a > different jurisdiction. 18 months have passed since then and no changes > that address this problem have been identified. > > The Chrome team recently removed EV indicators from the URL bar in Canary > and announced their intent to ship this change in Chrome 77 > <https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/h1bTcoTpfeI>. > Safari is also no longer showing the EV entity name instead of the domain > name in their URL bar, distinguishing EV only by the green color. Edge is > also no longer showing the EV entity name in their URL bar. > > > > On our side a pref for this > (security.identityblock.show_extended_validation) was added in bug 1572389 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1572389> (thanks :evilpie for > working on it!). We're planning to flip this pref to false in bug 1572936 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1572936>. > > Please let us know if you have any questions or concerns, > > Wayne & Johann
Thanks to Tim Callan for making the case for keeping and even improving the EV UI in Firefox. I want to add a few more points to this interesting discussion. Some have responded there is no research saying EV sites have significantly less phishing (and are therefore safer) than DV sites – Tim has listed two studies that say exactly that, and I’m not aware of any studies that say the opposite. I can tell you that anti-phishing services and browser phishing filters have also have concluded that EV sites are very unlikely to be phishing sites and so are safer for users. Some opponents of the EV UI say it should go away because users don’t understand or know how to evaluate the specific organization information that’s displayed. That’s true to a point – but an improved EV UI for Firefox could follow Apple’s example by showing a binary “identity/no identity” UI that would be easy for users to understand – green lock symbol and URL for identity (EV), black for no identity (DV). If users want to see the specific organization information for the identity sites, it can be displayed with one click on the green lock symbol. With a little user training (such as a pop-up for a few months explaining what the green UI means), users could understand – after all, users still remember “look for the lock symbol” for user security. Remember that the need for knowledge of a website’s identity is not homogenous across users and uses. For instance, users will have different needs to scrutinize identity information at different times. Let’s look at currency, for example. Currency contains many marks to validate its legitimacy such as watermarks, holograms, and the like. The same person may treat currency differently based on context. The same person might take cash out of the ATM machine with little close scrutiny but then look closely at the money received from a scalper at a sporting event or concert. In the first case, the context is considered to be low risk, and in the second it’s considered to be high risk. The security indicators are always there, so the relying party can take advantage of them when they’re warranted. Likewise, some users have greater need for this knowledge. In another offline example, travelers don’t actually scrutinize the names of fellow passengers who board their airplane – but their security is greatly increased by the fact that the airlines and TSA *do* scrutinize fellow travelers for them, remember the passenger names, and check the names against lists of known terrorists before letting them board a plane. That’s proactive security – checking for potential threats before letting a passenger get on an airplane. In contrast, just relying on a browser filter to protect users against phishing is like letting people get on the plane anonymously and even take off, but promising to blacklist any passenger from future flights who sneaks on with a weapon and attacks the other passengers. That approach isn’t very effective – first, the bad guy has already harmed some passengers by the time of the blacklist, and second, if passengers can continue to board airplanes anonymously then any blacklisted passenger from an earlier flight can just get on another plane anonymously and repeat the exploit (just as anonymous phishers do repeatedly by constantly setting up new phishing websites which take time to be flagged by browser filters after the fact). Rewarding identity websites with a distinct EV UI is one way of providing user security proactively. Instead of removing the EV UI entirely on the basis that users don’t understand the UI and don’t make security decisions based on the UI, maybe Mozilla should just simplify the EV UI and match what Apple did a year ago – show users the URL for the site they are at, but make the URL and lock symbol green for sites with identity (secured by an EV cert) and black for all other sites (including all DV sites). If users click on a green lock symbol, they can then see the EV data if they want to. And then Mozilla could do normal user training to tell them they are at safer sites when they see the green lock symbol and URL. (User training can be very simple but effective – many users still remember “look for the lock symbol” from the days when phishing used only http). Finally, some on this list have said that if user trust in EV sites increases, then phishers will just start getting EV certificates. That’s possible, but remember one thing – once a phisher with an EV cert uses it for an exploit, the issuer will likely revoke the cert and add both the organization’s *name* and its phishing domains to its flag list – and the organization (a specific corporation identified by name, state of incorporation, and serial number) will never be able to get another EV cert from that CA, not even if the phisher changes to a different domain. That means an EV phisher will likely get one use out of each corporation it forms to get the cert, and then will have to form another corporation to get another EV cert, and so forth. And CAs are currently setting up a common EV flag list so a corporation found to intentionally engaged in EV phishing probably won’t be able to get an EV certificate from another CA either. That’s probably one reason why phishers don’t use EV certs today – it’s too expensive and time consuming if you can only use your corporation’s EV cert in one phishing campaign (and then your corporation can never get another EV cert because of its past record). Likewise, reports of EV certs being offered on the dark web are actually fairly humorous – it means scammers are scamming other scammers. Any phisher who buys an EV cert on the dark web can likely use it only once, and then the EV cert will be revoked and the phisher will be unable to get another EV cert for the same corporation – a pretty poor investment for the phisher, but maybe a good deal for the scammer who sells the EV cert on the dark web. Today there’s a huge wave toward protecting consumer privacy – in Congress, with the GDPR, etc. – but how can we protect user privacy on the web without establishing the identity of the websites that are asking for consumer passwords and credit card numbers? EV certificates provides this information and can be very useful for consumers to determine this identity. To close - browsers love data, and Mozilla has a lot of really smart engineers. That’s why I hope Mozilla will come up with innovative ways to use EV data, and not just drop it. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
