On Thu, Oct 24, 2019 at 5:31 PM Paul Walsh <p...@metacert.com> wrote:
> So, the next time a person says “EV is broken” or “website identity can’t > work” please think about what I just said and imagine actual browser > designers and developers who were/are responsible for that work. They were > never given a chance to get it right. > The point I wanted to bring to people's attention here is that the world has moved on since. At the present moment we are engaged in a political crisis on both sides of the Atlantic. Those are the particular issues on which I have been focused and those are the issues that I expect will be my primary concern for a few months longer. But one way or another, those issues will eventually be resolved. And as soon as that happens, the blamestorming will begin. And once they have run out of the guilty, they will be going after the innocent (as of course will the people who were also guilty hoping to deflect attention from their own culpability). And who else is there going to be left to blame who is withing reach apart from 'BigTech'? The security usability approach of the 1990s doesn't work any more. We don't need people to tell us what doesn't work, we need people who are committed to making it work. The brief here is how to provide people with a way that they can be safe on the Internet that they can use. That includes providing them with a means of being able to tell a fake site from a real one. That also includes the entirely separate problem of how to prevent phishing type attacks. And one of the things we need to start doing is being honest about what the research actually shows. From the paper cited by Julien. " The participants who were asked to read the Internet Explorer help file were more likely to classify both real and fake sites as legitimate whenever the phishing warning did not appear." This is actually the exact opposite of the misleading impression he gave of the research. The green bar is not enough, I never expected it to be. To be successful, the green bar required the browser providers to provide a consistent UI that users could rely on and explain what it means. It seems that every day I am turning on a device or starting an app only to be told it has updated and they want to tell me about some new feature they have added. Why is it only the features that the providers want to tell me about get that treatment? Why not also use it to tell people how to be safe. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy