I finally got around to digesting the email below. Summary/Reminder: CA related data on website identity from the perspective of website owners.
As Homer Simpson said, "70% of all reports are made up”. So, everything put forward by me in previous messages, or anyone else, must be taken with a pinch of salt. That said, data does give meaning to personal opinions. Without data, we’re left with just opinions. If we set the data aside for a second, we all know (fingers crossed) that opening the wrong link and signing into the wrong website, is something that people either worry about, or should be worried about. I pitched a company last week. The Director of Threat Intelligence for a multi-billion dollar security company in Silicon Valley thought he’d prove that he couldn't be caught out. I wasn’t testing the room, but he jumped in and said "#10 is the real domain". He was wrong (unfortunately because I felt bad) - it was a fake. I had to explain how it wasn’t a reflection on his expertise but rather, an emotional state of mind at a given point in time under specific circumstances. What the eyes can’t see, the brain fills in [1]. This subject is so important I would love Mozilla to consider implementing a beta program. I’d proudly contribute. Here’s something we did at MetaCert, that Mozilla could do - auto classify regulated TLDs and gTLDs. For example, you could light up the visual indicator for URLs on .GOV domains - without any need for third-party interaction. This would make it virtually impossible for anyone to fall for a phishing scam when filing taxes - for example. Perhaps it would encourage the DNC (and GOP) to only use .GOV domains and avoid being hacked by Russians in the future. These are just a few use cases where there’s a potential for massive real world benefit. Rather than remove website identity based on the response to poor design implementation, we should consider making it better. I believe website owners would be more likely to seek verification if they can really protect their brand online. And consumers would proactively look for it. Website identity won’t ever be perfect, but with new technologies and methodologies that have come out in the past 18 months, so much more can also be achieved by CAs and other providers, to tighten up the verification process, while making it faster and lower cost for customers. [1] https://www.gla.ac.uk/news/archiveofnews/2011/april/headline_194655_en.html <https://www.gla.ac.uk/news/archiveofnews/2011/april/headline_194655_en.html> - Paul > On Oct 2, 2019, at 5:12 PM, Kirk Hall via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > On September 21, I sent a message to the Mozilla community with the results > of a survey of all of Entrust Datacard’s customers (both those who use EV > certificates, and those who don’t) concerning what they think about website > identity in browsers, browser UIs in general, and EV browser UIs in > particular. [1] The data we published was based on 504 results collected > over two days (a pretty good response). > > The survey was distributed in a way that each customer could only respond > once. We left the survey open, and can now publish updated results from a > combined total of 804 separate certificate customers (300 more than last > time). The results mirror the results we first reported two weeks ago – and > based on Paul Walsh’s data on when survey results should be considered > statistically significant [2], this means that the updated survey results are > very solid. > > Here is a summary of the updated respondent results for the six questions > listed below. > > (1) 97% of respondents agreed or strongly agreed with the statement: > "Customers / users have the right to know which organization is running a > website if the website asks the user to provide sensitive data." (This is > the same result as for the prior sample.) > > (2) 94% of respondents agreed or strongly agreed with the statement “Identity > on the Internet is becoming increasingly important over time.” (This is 1% > higher than in the prior sample.) > > (3) When respondents were asked “How important is it that your website has an > SSL certificate that tells customers they are at your company's official > website via a unique and consistent UI in the URL bar?” 76% said it was > either extremely important or very important to them. Another 13% said it was > somewhat important (total: 89%). (This is 2% higher than in the prior > sample.) > > (4) When respondents were asked “Do you believe that positive visual signals > in the browser UI (such as the EV UI for EV sites) are important to encourage > website owners to choose EV certificates and undergo the EV validation > process for their organization?” 72% said it was either extremely important > or very important to them. (This is down 1% from the prior sample.) Another > 18% said it was somewhat important. (This is up 1% from the prior sample.) > The total is the same at 90%. > > (5) 92% agreed or strongly agreed with the statement: “Web browser security > indicators should be standardized across different browsers to make the UI > easier for users to understand.” (No change from prior sample.) > > (6) Finally, when asked “Do you think browsers should standardize among > themselves on a common Extended Validation UI so that it appears roughly the > same in all browsers?” 89% said yes. (This is down 2% from the prior sample.) > > Here is the distribution of respondents by number of employees: > > 804 enterprise responses total (versus 504 in prior sample). There was an > increase in survey participation by smaller companies in these updated > results. > > Organization Size by Employee Count > > 12.34% 1 to 99 employees > 15.53% 100 to 499 employees > 9.71% 500 to 999 employees > 24.13% 1,000 to 4,999 employees > 17.20% 5,000 to 19,999 employees > 18.72% 20,000 or more employees > 2.36% Don't know > > Clearly organizations of all sizes think website identity is important, that > the EV UI should be retained, and that the browser UI design should be > standardized across different browsers. While any survey can certainly be > improved, this is the only data anyone has provided to the Mozilla community > concerning what website owners think about browser UIs, and what they would > like to see. > > We again recommend that Mozilla consider adopting the binary Apple UI, which > works in both desktop and mobile environments and distinguishes between > EV/identity sites (with a green lock symbol and URL) and DV/anonymous sites > (with a black lock symbol and URL) – check it out in an iPhone. (Apple did > not eliminate the EV UI, as some has erroneously said.) This is easy for > users to understand at a glance. To see how it looks, compare apple.com (EV) > to google.com (DV) on an iPhone using Safari. Paul has suggested that color > difference alone is not sufficient, and there should be something more to > distinguish the EV UI from the DV UI – that sounds good to me, but if Mozilla > and Apple align, we will have made progress on getting a common UI across > multiple browsers. > > As others have said on this string, there are no recent browser or academic > studies that that say an improved EV UI can’t work with users. The only > study that has been cited to support removal of the EV UI is a Google study > that essentially asked what users *do* know about UIs today (answer: users > don’t understand the current EV UI and don’t rely on it to make security > decisions). I believe the reason for this result is that the EV UI is > constantly changing (the Chrome EV UI has gone through three major changes in > the last 12 months, with no user education – so why should users understand > it?) But the Google study only displayed to users a number of web pages with > different UIs (without comment) and observed what the users *did* – the study > stopped there. A more useful study to help Mozilla decide whether or not to > remove the EV UI (and to treat EV and DV sites as the same) would test what > users *could* know and *would* do with an improved (and stable!) EV UI and > simple user education about Firefox UI. > > If it turns out that users can be easily trained to notice whether or not a > site’s identity is known, wouldn’t that be useful study information for the > Mozilla community? If a user feels comfortable typing in a password or > credit card number for well-known and trusted DV sites like google.com or > facebook.com, that’s fine – but what about yourgoogle.com or > facebook-alerts.com? Safe, or phishing? Wouldn’t it be smart at least to > let users *know* through the UI whether or not those sites have a confirmed > identity (or are just anonymous DV sites instead), so the users can decide > for themselves whether or not to share their sensitive information with the > site? > > Paul has posted sobering data about the rise and danger of encrypted phishing > sites. [3] And for those who don’t like EV or CAs in general, fine – but > what’s your solution for protecting users? We have to do better. > > Removing the Firefox EV UI is a big step for Mozilla, and it would be better > if Mozilla based its decision on current data, and also considered the > alternative of creating an improved EV UI instead of removing it. > > [1] > https://groups.google.com/d/msg/mozilla.dev.security.policy/iVCahTyZ7aw/oBHe8ZJmAQAJ > > [2] > https://groups.google.com/d/msg/mozilla.dev.security.policy/iVCahTyZ7aw/Xk_YDFAMBwAJ > > [3] > https://groups.google.com/d/msg/mozilla.dev.security.policy/iVCahTyZ7aw/Q9aOjYUQBwAJ > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
