On Thursday, August 29, 2019 at 5:26:55 PM UTC-5, Kirk Hall wrote: > On Thursday, August 29, 2019 at 3:10:49 PM UTC-7, Ryan Sleevi wrote: > > On Thu, Aug 29, 2019 at 5:18 PM Kirk Hall via dev-security-policy < > > dev-security-policy@lists.mozilla.org> wrote: > > > > > > > > Don't argue with me, argue with the browser phishing filters and > > > anti-phishing services who do, in fact, use EV website information to > > > protect users as I described. Presumably they know what they are doing. > > > > > > Sorry that it sounded like I'm arguing. I'm just trying to understand the > > premise, since it so obviously has security holes that would make EV > > certificates more dangerous for any user who relied on such services. > > > > Could you point to the browsing phishing filters and anti-phishing services > > that do? It might be an opportunity for you to find out how they deal with > > this, and report back, so we don't have to presume anything. > > Let's hear directly from the experts - can you get someone from Google Safe > Browsing to post to this list, and then we can all ask him or her our > questions and get the definitive answers. Thanks.
Kirk, What you are implying about GSB (and possibly other phishing filters) using the information contained within EV SSL certificates as part of their algorithm changes the reliance of EV SSL/TLS in fundamental ways. The end result of removing the EV UI is that the decision to trust a website based on EV is practically transferred from the user to GSB and other phishing filters since the user cannot see the EV UI. The user is still impacted by the EV information depending on how GSB interprets it along with other signals. If GSB does factor in EV, I'm curious to learn how they use the jurisdiction information in the EV certificates as well as other information. Some posters on this thread advocate doing away with the EV UI due to issues discussed previously, but I wonder if they are aware that this information still might be used to block certain websites or influence the user's behavior without the user ever knowing that the EV information was used. Will CAs market EV SSL as a way for sites to increase their "scores" with GSB and other phishing filters? Leo _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy