On Wed, 28 Aug 2019 11:51:37 -0700 (PDT) Josef Schneider via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> Not legally probably and this also depends on the jurisdiction. Since > an EV cert shows the jurisdiction, a user can draw conclusions from > that. Yes it is true that crimes are illegal. This has not previously stopped criminals, and I think your certainty that it will now is misplaced. What conclusions would you draw from the fact that the jurisdiction is the United Kingdom of Great Britain and Northern Ireland? Or the US state of Delaware ? Those sound fine right? Lots of reputable businesses? Yes, because those are great places to register a business, tremendously convenient. They have little if any regulation on registering businesses, light touch enforcement and they attract a modest fee for each one. This is of course also exactly the right environment for crooks. > But removing the bar is also not the correct solution. If you find > out that the back door to your house is not secured properly, will > you remove the front door because it doesn't matter anyway or do you > strengthen the back door? Certainly if crooks are seen to walk in through the back door and none has ever even attempted to come through the upstairs windows, it is strange to insist that removing the bars from your upstairs windows to let in more light makes the house easier to burgle. > The current > EV validation information in the URL works and is helpful to some > users (maybe only a small percentage of users, but still...) Is it helpful, or is it misleading? If you are sure it's helpful, and yet as we saw above you don't really understand the nuances of what you're looking at (governments are quite happy to collect business registration fees from crooks) then I'd say that means it's misleading. > EV certificates do make more assurances about the certificate owner > than DV certificates. This is a fact. This information can be very > useful for someone that understands what it means. Probably most > users don't understand what it means. But why not improve the display > of this valuable information instead of hiding it? The information is valuable to my employer, which does with it something that is useless to Mozilla's users and probably not in line with what EV certificate purchasers were intending, but I'm not on m.d.s.policy to speak for my employer, and they understood that perfectly well when they hired me. In my opinion almost any conceivable display of this information is likely to mislead users in some circumstances and bad guys are ideally placed to create those circumstances. So downgrading the display is a reasonable choice especially when screen real estate is limited. > Certificates cannot magically bring security. Certificates are about > identity. But the fact that the owner of the website somebank.eu is > the owner of the domain somebank.eu is not that helpful in > determining the credibility. If I process a link (as browsers do many times in constructing even trivial web pages these days) then this assures me it actually links to what was intended. This is enough to bootstrap WebAuthn (unphishable second factor credentials) and similar technologies, to safeguard authentication cookies and sandbox active code inside an eTLD+1 or narrower. All very useful even though the user isn't aware of them directly. For end users it means bookmarks they keep and links they follow from outside actually lead where they should, and not somewhere else as would trivially happen without this verification. > But the information that the owner of > somebank.eu is a incorporated company from Germany officially called > "Somebank AG" is more valuable. Maybe some people don't care and > enter their account data happily at s0m1b4nk.xyz, maybe most people > do. We don't know and we probably can't know how many people stopped > and thought if they are actually at the correct website because the > green bar was missing. But I am certain that it was more than zero. Why are you certain of this? Just gut feeling? > Why not for example always open a small overlay with information when > someone starts entering data in a password field? Something like "You > are entering a password at web.page. You visited this page 5 times > before, first on August 4th 2019. We don't know anything about the > owner" or for EV "You are entering a password at web.page. You > visited this page 5 times before, first on August 4th 2019. This > server is run by "WebPage GmbH" from Vienna, Austria [fancy flag > picture]". This server is run by "Authorised Web Site" from London, UK [Union flag]. Sounds legitimate. Remember, the British government doesn't care that Authorised Web Site is a stupid name for a company, that its named officers are the characters in Toy Story, that its claimed offices are a building site, nor even that it has never filed (and never will file) any business accounts. They collected their registration fee and that's all they ever cared about. Nick. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy