Am Dienstag, 27. August 2019 00:48:38 UTC+2 schrieb Matt Palmer: > On Mon, Aug 26, 2019 at 05:39:14AM -0700, Josef Schneider via > dev-security-policy wrote: > > Sure I can register a company and get an EV certificate for that company. > > But can I do this completely anonymous like getting a DV cert? > > Yes.
Not legally probably and this also depends on the jurisdiction. Since an EV cert shows the jurisdiction, a user can draw conclusions from that. > > Nobody is arguing that EV certificates are perfect and everything is good > > if you use them. But they do raise the bar for criminals. And in my > > opinion, significantly. > > Except criminals don't need them. Raising the bar doesn't help if you don't > need to go over the bar. > But removing the bar is also not the correct solution. If you find out that the back door to your house is not secured properly, will you remove the front door because it doesn't matter anyway or do you strengthen the back door? > > What I propose is for mozilla to not say "Fuck it, it's not working, just > > remove it!" but instead try to focus on finding a better UX solution to > > the problem that end users are not aware if a site that should have an EV > > certificate is not presenting one. > > Why should Mozilla do all this work? So far, all the evidence suggests that > EV certs do not do what their advocates say they do, and have a significant > cost to browsers (code complexity, administration of EV bits, etc) and > relying parties (need to learn what the EV UI means, what it does and > doesn't claim, etc). Why should Mozilla do work to make the situation worse? The current EV validation information in the URL works and is helpful to some users (maybe only a small percentage of users, but still...). Why is mozilla interested in spending money making the situation worse. If mozilla doesn't care about the empowerment of their users, the default would be to not change anything, not actively making it worse. EV certificates do make more assurances about the certificate owner than DV certificates. This is a fact. This information can be very useful for someone that understands what it means. Probably most users don't understand what it means. But why not improve the display of this valuable information instead of hiding it? Certificates cannot magically bring security. Certificates are about identity. But the fact that the owner of the website somebank.eu is the owner of the domain somebank.eu is not that helpful in determining the credibility. But the information that the owner of somebank.eu is a incorporated company from Germany officially called "Somebank AG" is more valuable. Maybe some people don't care and enter their account data happily at s0m1b4nk.xyz, maybe most people do. We don't know and we probably can't know how many people stopped and thought if they are actually at the correct website because the green bar was missing. But I am certain that it was more than zero. What mozilla now is proposing is: EV certificates have no use in any situation so basically remove them. I don't think that's true. I am not a UX designer, but I am sure there are methods to incorporate this valuable information from EV certificates in a way that it is helpful to users. Why not for example always open a small overlay with information when someone starts entering data in a password field? Something like "You are entering a password at web.page. You visited this page 5 times before, first on August 4th 2019. We don't know anything about the owner" or for EV "You are entering a password at web.page. You visited this page 5 times before, first on August 4th 2019. This server is run by "WebPage GmbH" from Vienna, Austria [fancy flag picture]". As said, I am not a UX designer (or any graphical type of designer) so probably this idea is stupid. But my point is that the information in an EV certificate is useful **to the user** and should be presented in a way to empower the user and not be hidden. - Josef _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy