Re: [FORGED] Re: Firefox removes UI for site identity

[Phillip Hallam-Baker via dev-security-policy]

On Fri, Oct 25, 2019 at 4:21 AM James Burton  wrote:

> Extended validation was introduced at a time when mostly everyone browsed
> the internet using low/medium resolution large screen devices that provided
> the room for an extended validation style visual security indicator .
> Everything has moved on and purchases are made on small screen devices that
> has no room to support an extended validation style visual security
> indicator. Apple supported  extended validation style visual security
> indicator in iOS browser and it failed [1] [2].
>
> It's right that we are removing the extended validation style visual
> security indicator from browsers because of a) the above statement b)
> normal users don't understand extended validation style visual security
> indicators c) the inconsistencies of extended validation style visual
> security indicator between browsers d) users can't tell who is real or not
> based on extended validation style visual security indicators as company
> names sometimes don't match the actual site name.
>
> [1]  https://www.typewritten.net/writer/ev-phishing
> [2]  https://stripe.ian.sh
>

The original proposal that led to EV was actually to validate the company
logos and present them as logotype.
There was a ballot proposed here to bar any attempt to even experiment with
logotype. This was withdrawn after I pointed out to Mozilla staff that
there was an obvious anti-Trust concern in using the threat of withdrawing
roots from a browser with 5% market share to suppress deployment of any
feature.

Now for the record, that is what a threat looks like: we will destroy your
company if you do not comply with our demands. Asking to contact the
Mozilla or Google lawyers because they really need to know what one of
their employees is doing is not.

Again, the brief here is to provide security signals that allow the user to
protect themselves.


-- 
Website: http://hallambaker.com/
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: [FORGED] Re: Firefox removes UI for site identity

[James Burton via dev-security-policy]

Extended validation was introduced at a time when mostly everyone browsed
the internet using low/medium resolution large screen devices that provided
the room for an extended validation style visual security indicator .
Everything has moved on and purchases are made on small screen devices that
has no room to support an extended validation style visual security
indicator. Apple supported  extended validation style visual security
indicator in iOS browser and it failed [1] [2].

It's right that we are removing the extended validation style visual
security indicator from browsers because of a) the above statement b)
normal users don't understand extended validation style visual security
indicators c) the inconsistencies of extended validation style visual
security indicator between browsers d) users can't tell who is real or not
based on extended validation style visual security indicators as company
names sometimes don't match the actual site name.

[1]  https://www.typewritten.net/writer/ev-phishing
[2]  https://stripe.ian.sh

Thank you

Burton

On Fri, Oct 25, 2019 at 5:35 AM Phillip Hallam-Baker via
dev-security-policy  wrote:

> On Thu, Oct 24, 2019 at 9:54 PM Peter Gutmann via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
> > Paul Walsh via dev-security-policy <
> dev-security-policy@lists.mozilla.org>
> > writes:
> >
> > >we conducted the same research with 85,000 active users over a period of
> > >12 months
> >
> > As I've already pointed out weeks ago when you first raised this, your
> > marketing department conducted a survey of EV marketing effectiveness.
> If
> > you have a refereed, peer-reviewed study published at a conference or in
> > an academic journal, please reference it, not a marketing survey
> > masquerading as a "study".
>
>
> There are certainly problems with doing usability research. But right now
> there is very little funding for academic studies that are worth reading.
>
> You didn't criticize the paper with 27 subjects split into three groups
> from 2007. Nor did you criticize the fact that the conclusions were totally
> misrepresented.
>
> So it doesn't appear to be spurious research that you have a problem with
> or the misrepresentation of the results. What you seem to have a problem
> with is the conclusions.
>
> At least with 85,000 subjects there is some chance that Paul himself has
> found out something of interest. That doesn't mean that we have to accept
> his conclusions as correct, or incontrovertible but I think it does mean
> that he deserves to be treated with respect.
> I am not at all happy with the way this discussion has gone. It seems that
> contrary to the claims of openness, Mozilla has a group think problem. For
> some reason it is entirely acceptable to attack CAs for any reason and with
> the flimsiest of evidence.
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: [FORGED] Re: Firefox removes UI for site identity

[Phillip Hallam-Baker via dev-security-policy]

On Thu, Oct 24, 2019 at 9:54 PM Peter Gutmann via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> Paul Walsh via dev-security-policy 
> writes:
>
> >we conducted the same research with 85,000 active users over a period of
> >12 months
>
> As I've already pointed out weeks ago when you first raised this, your
> marketing department conducted a survey of EV marketing effectiveness.  If
> you have a refereed, peer-reviewed study published at a conference or in
> an academic journal, please reference it, not a marketing survey
> masquerading as a "study".


There are certainly problems with doing usability research. But right now
there is very little funding for academic studies that are worth reading.

You didn't criticize the paper with 27 subjects split into three groups
from 2007. Nor did you criticize the fact that the conclusions were totally
misrepresented.

So it doesn't appear to be spurious research that you have a problem with
or the misrepresentation of the results. What you seem to have a problem
with is the conclusions.

At least with 85,000 subjects there is some chance that Paul himself has
found out something of interest. That doesn't mean that we have to accept
his conclusions as correct, or incontrovertible but I think it does mean
that he deserves to be treated with respect.
I am not at all happy with the way this discussion has gone. It seems that
contrary to the claims of openness, Mozilla has a group think problem. For
some reason it is entirely acceptable to attack CAs for any reason and with
the flimsiest of evidence.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: [FORGED] Re: Firefox removes UI for site identity

[Paul Walsh via dev-security-policy]

Apologies for the massive number of typos. I was angry when I read the response 
to my thoughtful messages. I tried my best to hold back. I didn’t even have the 
energy to check what I’d written before hitting send. 



> On Oct 24, 2019, at 7:37 PM, Paul Walsh  wrote:
> 
> 
>> On Oct 24, 2019, at 6:53 PM, Peter Gutmann  wrote:
>> 
>> Paul Walsh via dev-security-policy  
>> writes:
>> 
>>> we conducted the same research with 85,000 active users over a period of 
>>> 12 months
>> 
>> As I've already pointed out weeks ago when you first raised this, your
>> marketing department conducted a survey of EV marketing effectiveness.  
> 
> [PW] With respect Peter, you articulate your opinion doesn’t make it a matter 
> of fact. Read the article properly and you will see that it’s not from a 
> marketing department. It’s a small startup that wanted to conduct a social 
> experiment. 
> 
>> If
>> you have a refereed, peer-reviewed study published at a conference or in 
>> an academic journal, please reference it, not a marketing survey 
>> masquerading as a "study”.
> 
> Rubbish. We don’t need to publish at a conference or in an academic journal 
> for it to demonstrate a point. If *you* don’t want to trust it, that’s ok. I 
> don’t expect everyone to trust everything that is written.
> 
> As Homer Simpson said; “70% of all reports are made up”. 
> 
> Our work is not marketing - you obviously didn’t read the methodology and the 
> reasons or you wouldn’t make such silly comments. 
> 
>> 
>> A second suggestion, if you don't want to publish any research (by which I
>> mean real research, not rent-seeking CA marketing) supporting your position, 
> 
> Did you read any of the words I wrote? I’ve said more than once that I don’t 
> work for a CA - never have. You’re obviously a CA-hater and hate everything 
> that’s ever discussed about website identity. Haters are gonna hate. I 
> couldn’t be more impartial.
> 
> 
>> is that you fork Firefox - it is after all an open-source product - add 
>> whatever EV UI you like to it, and publish it as an alternative to Firefox.  
>> If your approach works as you claim, it'll be so obviously superior to 
>> Firefox that everyone will go with your fork rather than the original.
> 
> Another weird comment. Forking code and building products doesn’t mean people 
> will use it. I have nothing to prove to anyone. If all the browser vendors 
> did as I suggest it would mean there’s no need for our flagship product. So 
> how on earth could I be biased. My commentary or counter productive for my 
> shareholders and team. But I care about what’s in the best of industry. You 
> clearly don’t because you need to have the word “Google” or “Stanford” 
> stamped on a PDF. None of the authors of any of those documents come close to 
> the level of experience that my team and I have - including our industry 
> contributions. I was the first person to ever re-write Tim Berner’s Lee’s 
> vision of the “one web” when I co-founded the Mobile Web Initiative. I 
> shouldn’t have to throw these things around just to appease you. Do your 
> research if you actually care.
> 
>> 
>> For everyone else who feels this interminable debate has already gone on
>> far too long and I'm not helping it, yeah, sorry, I'd consigned the thread 
>> to the spam folder for awhile, had a brief look back, and saw this, which 
>> indicates it's literally gone nowhere in about a month.
> 
> Go play in your spam folder for a little longer because I’m done responding 
> to your insults. You didn’t question anything outside our intent which is to 
> question my integrity. I won’t accept that - it’s as insulting as it gets.
> 
>> 
>> I can see why Mozilla avoided this endless broken-record discussion, it's
>> not contributing anything but just going round and round in circles.
> 
> It’s going around in circles because you refuse to take the time and effort 
> to read what has been written. Instead, you assume we have ulterior motives. 
> As I’ve said, my motives are not necessarily in the best interest of my 
> company. 
> 
> - Paul
> 
>> 
>> Peter.
> 

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: [FORGED] Re: Firefox removes UI for site identity

[Paul Walsh via dev-security-policy]

> On Oct 24, 2019, at 6:53 PM, Peter Gutmann  wrote:
> 
> Paul Walsh via dev-security-policy  
> writes:
> 
>> we conducted the same research with 85,000 active users over a period of 
>> 12 months
> 
> As I've already pointed out weeks ago when you first raised this, your
> marketing department conducted a survey of EV marketing effectiveness.  

[PW] With respect Peter, you articulate your opinion doesn’t make it a matter 
of fact. Read the article properly and you will see that it’s not from a 
marketing department. It’s a small startup that wanted to conduct a social 
experiment. 

> If
> you have a refereed, peer-reviewed study published at a conference or in 
> an academic journal, please reference it, not a marketing survey 
> masquerading as a "study”.

Rubbish. We don’t need to publish at a conference or in an academic journal for 
it to demonstrate a point. If *you* don’t want to trust it, that’s ok. I don’t 
expect everyone to trust everything that is written.

As Homer Simpson said; “70% of all reports are made up”. 

Our work is not marketing - you obviously didn’t read the methodology and the 
reasons or you wouldn’t make such silly comments. 

> 
> A second suggestion, if you don't want to publish any research (by which I
> mean real research, not rent-seeking CA marketing) supporting your position, 

Did you read any of the words I wrote? I’ve said more than once that I don’t 
work for a CA - never have. You’re obviously a CA-hater and hate everything 
that’s ever discussed about website identity. Haters are gonna hate. I couldn’t 
be more impartial.


> is that you fork Firefox - it is after all an open-source product - add 
> whatever EV UI you like to it, and publish it as an alternative to Firefox.  
> If your approach works as you claim, it'll be so obviously superior to 
> Firefox that everyone will go with your fork rather than the original.

Another weird comment. Forking code and building products doesn’t mean people 
will use it. I have nothing to prove to anyone. If all the browser vendors did 
as I suggest it would mean there’s no need for our flagship product. So how on 
earth could I be biased. My commentary or counter productive for my 
shareholders and team. But I care about what’s in the best of industry. You 
clearly don’t because you need to have the word “Google” or “Stanford” stamped 
on a PDF. None of the authors of any of those documents come close to the level 
of experience that my team and I have - including our industry contributions. I 
was the first person to ever re-write Tim Berner’s Lee’s vision of the “one 
web” when I co-founded the Mobile Web Initiative. I shouldn’t have to throw 
these things around just to appease you. Do your research if you actually care.

> 
> For everyone else who feels this interminable debate has already gone on
> far too long and I'm not helping it, yeah, sorry, I'd consigned the thread 
> to the spam folder for awhile, had a brief look back, and saw this, which 
> indicates it's literally gone nowhere in about a month.

Go play in your spam folder for a little longer because I’m done responding to 
your insults. You didn’t question anything outside our intent which is to 
question my integrity. I won’t accept that - it’s as insulting as it gets.

> 
> I can see why Mozilla avoided this endless broken-record discussion, it's
> not contributing anything but just going round and round in circles.

It’s going around in circles because you refuse to take the time and effort to 
read what has been written. Instead, you assume we have ulterior motives. As 
I’ve said, my motives are not necessarily in the best interest of my company. 

- Paul

> 
> Peter.

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: [FORGED] Re: Firefox removes UI for site identity

[Peter Gutmann via dev-security-policy]

Paul Walsh via dev-security-policy  
writes:

>we conducted the same research with 85,000 active users over a period of 
>12 months

As I've already pointed out weeks ago when you first raised this, your
marketing department conducted a survey of EV marketing effectiveness.  If
you have a refereed, peer-reviewed study published at a conference or in 
an academic journal, please reference it, not a marketing survey 
masquerading as a "study".

A second suggestion, if you don't want to publish any research (by which I
mean real research, not rent-seeking CA marketing) supporting your position, 
is that you fork Firefox - it is after all an open-source product - add 
whatever EV UI you like to it, and publish it as an alternative to Firefox.  
If your approach works as you claim, it'll be so obviously superior to 
Firefox that everyone will go with your fork rather than the original.

For everyone else who feels this interminable debate has already gone on
far too long and I'm not helping it, yeah, sorry, I'd consigned the thread 
to the spam folder for awhile, had a brief look back, and saw this, which 
indicates it's literally gone nowhere in about a month.

I can see why Mozilla avoided this endless broken-record discussion, it's
not contributing anything but just going round and round in circles.

Peter.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Firefox removes UI for site identity

[Paul Walsh via dev-security-policy]

> On Oct 24, 2019, at 2:59 PM, Julien Vehent via dev-security-policy 
>  wrote:
> 
> On Thursday, October 24, 2019 at 5:31:59 PM UTC-4, Paul Walsh wrote:
>> There is zero data from any company to prove that browser UI for website 
>> identity can’t work.
> 
> https://www.adambarth.com/papers/2007/jackson-simon-tan-barth.pdf

I’ve read this. It’s 13 years old! And consisted of 27 users broken into 
groups. I’m surprised that’s being cited as meaningful research/data in 2019. 
Some participants here weren’t even out of high school back then. I’m jealous.

I don’t know if you read our findings already Julien [1] but we conducted the 
same research with 85,000 active users over a period of 12 months - Chrome, 
Brave, Firefox and Opera. I have documented the entire process along with the 
method used to determine whether or not the visual indicator had achieved 
product/market fit. Our research started in December 2017 and lasted more than 
a year. This same software is now being sold into businesses of different 
sizes. Since it was first released, we have had zero victims of a deceptive 
website. And according to our MSP partners, their support calls and emails are 
massively reduced because when relying on the visual indicator we designed, 
they are less likely to report “suspicious” emails or websites. 

It’s by no means perfect, but when a popular crypto DNS was compromised we 
changed the classification so it was immediately blocked. This is an edge case 
that requires more work.

For context, my engineers were the same people who built the official browser 
add-ons for digg, Delicious, Yahoo!, eBay, PayPal, Google and Microsoft. They 
contributed to Firefox bug fixing and my COO started the Firefox developer 
evangelist community. Our first API for child safety was supposed to be 
integrated with Firefox but weirdly one engineer thought it was censoring the 
web so Chris Hoffman, Mitch and others decided not to proceed.

So, we’re a tiny player, but there are fewer people with more experience in 
browser software, visual indicators and URL Classification. This doesn’t mean 
we’re more right - it just means that our assertions should be taken seriously 
and not disregarded as “vendor marketing”. 

We also built the first ever security integration for native email clients - 
here’s a video demo of link annotation for the Apple Mail client 
https://www.youtube.com/watch?v=elutAAsboyE - visual indicators can and do work 
when done well. 

It was very easy for us to educate users of the visual indicators and it was/is 
easy for them to rely on them. Similar to how I suspect you want users to rely 
on your new UI for tracking. We didn’t even have a website for this product 
until about 3 weeks ago and our on boarding sucks right now.

I would urge you to read about this and feel free to ask me any question you 
like in public or private. Please, when you read it though, assume that I love 
https, free dv certs, the lock and encryption - my article talks about the 
downside in regards to “how” these are being implemented.

Furthermore, my R&D into visual indicators started in 2004 - before EV was even 
considered by its creators. Every member of the W3C Semantic Web Education & 
Outreach Program (of which I was a member) voted our ‘proof of concept’ add-on 
as one of the most compelling implementations of the Semantic Web 
https://www.w3.org/2001/sw/sweo/public/UseCases/Segala/ 
 I’m highlighting this 
because the data/research we did back then isn’t relevant today - just like the 
research you refer to isn’t relevant today in my opinion. 

Timing and market conditions is everything. In my article I also draw 
conclusions about the relationship between phishing and the other components 
mentioned - using a massive number of data points from various cybersecurity 
companies that face these problems daily.

> 
> "In this paper, we presented a controlled between-subjects evaluation of the 
> extended validation user interface in Internet Explorer 7. Unfortunately, 
> participants who received no training in browser security features did not 
> notice the extended validation indicator and did not outperform the control 
> group.”

If this was true, no browser vendor would be able to release new features for 
anything. That said, browser settings is generally where UX goes to die a slow 
death. But some browser vendors do some things very well - Firefox tracking is 
good. Brave “shields" is probably the best implementation of anti-tracking I’ve 
seen because it’s the main utility. 

> 
> https://storage.googleapis.com/pub-tools-public-publication-data/pdf/400599205ab5a1c9efa03e2a7c127eb8200bf288.pdf
> 
> "We conclude that modern browser identity indicators are not effective.   To 
> design better identity indicators,  we  recommend  that  browsers  consider  
> focusing  on active negative indicators, explore using prominent UI as an 
> opportunity for user e

Re: Firefox removes UI for site identity

[Phillip Hallam-Baker via dev-security-policy]

On Thu, Oct 24, 2019 at 5:31 PM Paul Walsh  wrote:

> So, the next time a person says “EV is broken” or “website identity can’t
> work” please think about what I just said and imagine actual browser
> designers and developers who were/are responsible for that work. They were
> never given a chance to get it right.
>

The point I wanted to bring to people's attention here is that the world
has moved on since. At the present moment we are engaged in a political
crisis on both sides of the Atlantic. Those are the particular issues on
which I have been focused and those are the issues that I expect will be my
primary concern for a few months longer.

But one way or another, those issues will eventually be resolved. And as
soon as that happens, the blamestorming will begin. And once they have run
out of the guilty, they will be going after the innocent (as of course will
the people who were also guilty hoping to deflect attention from their own
culpability). And who else is there going to be left to blame who is
withing reach apart from 'BigTech'?

The security usability approach of the 1990s doesn't work any more. We
don't need people to tell us what doesn't work, we need people who are
committed to making it work.

The brief here is how to provide people with a way that they can be safe on
the Internet that they can use. That includes providing them with a means
of being able to tell a fake site from a real one. That also includes the
entirely separate problem of how to prevent phishing type attacks.


And one of the things we need to start doing is being honest about what the
research actually shows. From the paper cited by Julien.

" The participants who were asked to read the Internet Explorer help file
were more likely to classify both real and fake sites as legitimate
whenever the phishing warning did not appear."

This is actually the exact opposite of the misleading impression he gave of
the research.

The green bar is not enough, I never expected it to be. To be successful,
the green bar required the browser providers to provide a consistent UI
that users could rely on and explain what it means. It seems that every day
I am turning on a device or starting an app only to be told it has updated
and they want to tell me about some new feature they have added. Why is it
only the features that the providers want to tell me about get that
treatment? Why not also use it to tell people how to be safe.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Firefox removes UI for site identity

[Julien Vehent via dev-security-policy]

On Thursday, October 24, 2019 at 5:31:59 PM UTC-4, Paul Walsh wrote:
> There is zero data from any company to prove that browser UI for website 
> identity can’t work.

https://www.adambarth.com/papers/2007/jackson-simon-tan-barth.pdf

"In this paper, we presented a controlled between-subjects evaluation of the 
extended validation user interface in Internet Explorer 7. Unfortunately, 
participants who received no training in browser security features did not 
notice the extended validation indicator and did not outperform the control 
group."

https://storage.googleapis.com/pub-tools-public-publication-data/pdf/400599205ab5a1c9efa03e2a7c127eb8200bf288.pdf

"We conclude that modern browser identity indicators are not effective.   To 
design better identity indicators,  we  recommend  that  browsers  consider  
focusing  on active negative indicators, explore using prominent UI as an 
opportunity for user education, and incorporate user research into the design 
phase."

And more at 
https://chromium.googlesource.com/chromium/src/+/HEAD/docs/security/ev-to-page-info.md


- Julien
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Firefox removes UI for site identity

[Paul Walsh via dev-security-policy]

On Oct 24, 2019, at 12:36 PM, Phillip Hallam-Baker via dev-security-policy 
 wrote:
> 
> Eric,
> 
> I am not going to be gaslighted here.
> 
> Just what was your email supposed to do other than "suppressing dialogue
> within this community"?
> 
> I was making no threat, but if I was still working for a CA, I would
> certainly get the impression that you were threatening me.
> 
> The bullying and unprofessional behavior of a certain individual is one of
> the reasons I have stopped engaging in CABForum, an organization I
> co-founded. My contributions to this industry began in 1992 when I began
> working on the Web with Tim Berners-Lee at CERN.
> 
> 
> The fact that employees who work on what is the third largest browser also
> participate in the technical and policy discussions of the third largest
> browser which is also the only multi-party competitor should be a serious
> concern to Google and Mozilla. It is a clear anti-Trust liability to both
> concerns. People here might think that convenient, but it is not the sort
> of arrangement I for one would like to be having to defend in Congressional
> hearings.
> 
> As I said, I do not make threats. My concern here is that we have lost
> public confidence. We are no longer the heroes we once were and politicians
> in your own party are now running against 'Big Tech'. We already had DoH
> raised in the House this week and there is more to come. We have six months
> at most to put our house in order.

[PW] +1 on everything said by Phil. I particularly like "We are no longer the 
heroes we once were”. The fact that Phil stopped contributing to the CABForum 
due to one bully means industry loses out - I’ve noticed a massive decline in 
participation from many members - some of them for the same reason as I told me 
in private.

I’d like to add that I’ve only met Phil once, when we were both speakers at the 
W3C WWW2006 conference. I showed him a Firefox add-on with visual indicators 
for search engines, and he explained to me the concept of a URL bar that would 
turn green (set aside accessibility challenges with color-only for now) so 
users can avoid counterfeit websites. I was blown away by the idea and by the 
possible implementations with browsers. How could a user possibly fall for a 
deceptive website?! It’s ***2019*** and people falling for deceptive websites 
and dangerous URIs is the #1 problem in cybersecurity - and it’s getting worse.

But alas, browser vendors didn’t design the UI/UX in the way it was expected. 
And instead of iterating the UI/UX based on user feedback until product/market 
fit was achieved, vendors decided to remove it all. And instead of looking 
inward to see what they could have done better, they blame the companies that 
simply provided the information for them to displayed in their UI. 

There is zero data from any company to prove that browser UI for website 
identity can’t work. I could write a white paper on why it didn’t work and why 
it can’t work based on how it *was* implemented. This is not research - this is 
confirmation bias. There isn’t a single successful product or feature that 
didn’t require iteration. 

So, the next time a person says “EV is broken” or “website identity can’t work” 
please think about what I just said and imagine actual browser designers and 
developers who were/are responsible for that work. They were never given a 
chance to get it right.

I don’t work for a CA and never have. But I’m sick and tired of the bullying 
tactics from some individuals who work for major players - it’s toxic.  *Not* 
referring to you Eric :)

If we want to discuss CA marketing/sales and verification processes then let’s 
do that - *separate* to browser UI implementations. 

And here’s what’s almost funny, we’re going to see the very same mistakes made 
for email. Everyone involved in BIMI [1] asserts that it has nothing to do with 
security - it’s all about marketing. Yet almost everything in regards to 
benefits and execution is security related. There about to make all the same 
silly mistakes over again. 

https://bimigroup.org 

Regards,

- Paul


> 
> 
> 
> On Thu, Oct 24, 2019 at 12:29 PM Eric Mill  wrote:
> 
>> Phillip, that was an unprofessional contribution to this list, that could
>> be read as a legal threat, and could contribute to suppressing dialogue
>> within this community. And, given that the employee to which it is clear
>> you are referring is not only a respected community member, but literally a
>> peer of the Mozilla Root Program, it is particularly unhelpful to Mozilla's
>> basic operations.
>> 
>> On Wed, Oct 23, 2019 at 10:33 AM Phillip Hallam-Baker via
>> dev-security-policy  wrote:
>> 
>>> On Tue, Oct 22, 2019 at 7:49 PM Matt Palmer via dev-security-policy <
>>> dev-security-policy@lists.mozilla.org> wrote:
>>> 
 On Tue, Oct 22, 2019 at 03:35:52PM -0700, Kirk Hall via
 dev-security-policy wrote:
> I also have a question for Mozilla on the removal of th

Re: Firefox removes UI for site identity

[Phillip Hallam-Baker via dev-security-policy]

Eric,

I am not going to be gaslighted here.

Just what was your email supposed to do other than "suppressing dialogue
within this community"?

I was making no threat, but if I was still working for a CA, I would
certainly get the impression that you were threatening me.

The bullying and unprofessional behavior of a certain individual is one of
the reasons I have stopped engaging in CABForum, an organization I
co-founded. My contributions to this industry began in 1992 when I began
working on the Web with Tim Berners-Lee at CERN.


The fact that employees who work on what is the third largest browser also
participate in the technical and policy discussions of the third largest
browser which is also the only multi-party competitor should be a serious
concern to Google and Mozilla. It is a clear anti-Trust liability to both
concerns. People here might think that convenient, but it is not the sort
of arrangement I for one would like to be having to defend in Congressional
hearings.

As I said, I do not make threats. My concern here is that we have lost
public confidence. We are no longer the heroes we once were and politicians
in your own party are now running against 'Big Tech'. We already had DoH
raised in the House this week and there is more to come. We have six months
at most to put our house in order.



On Thu, Oct 24, 2019 at 12:29 PM Eric Mill  wrote:

> Phillip, that was an unprofessional contribution to this list, that could
> be read as a legal threat, and could contribute to suppressing dialogue
> within this community. And, given that the employee to which it is clear
> you are referring is not only a respected community member, but literally a
> peer of the Mozilla Root Program, it is particularly unhelpful to Mozilla's
> basic operations.
>
> On Wed, Oct 23, 2019 at 10:33 AM Phillip Hallam-Baker via
> dev-security-policy  wrote:
>
>> On Tue, Oct 22, 2019 at 7:49 PM Matt Palmer via dev-security-policy <
>> dev-security-policy@lists.mozilla.org> wrote:
>>
>> > On Tue, Oct 22, 2019 at 03:35:52PM -0700, Kirk Hall via
>> > dev-security-policy wrote:
>> > > I also have a question for Mozilla on the removal of the EV UI.
>> >
>> > This is a mischaracterisation.  The EV UI has not been removed, it has
>> been
>> > moved to a new location.
>> >
>> > > So my question to Mozilla is, why did Mozilla post this as a subject
>> on
>> > > the mozilla.dev.security.policy list if it didn't plan to interact
>> with
>> > > members of the community who took the time to post responses?
>> >
>> > What leads you to believe that Mozilla didn't plan to interact with
>> members
>> > of the community?  It is entirely plausible that if any useful responses
>> > that warranted interaction were made, interaction would have occurred.
>> >
>> > I don't believe that Mozilla is obliged to respond to people who have
>> > nothing useful to contribute, and who don't accurately describe the
>> change
>> > being made.
>> >
>> > > This issue started with a posting by Mozilla on August 12, but despite
>> > 237
>> > > subsequent postings from many members of the Mozilla community, I
>> don't
>> > > think Mozilla staff ever responded to anything or anyone - not to
>> explain
>> > > or justify the decision, not to argue.  Just silence.
>> >
>> > I think the decision was explained and justified in the initial
>> > announcement.  No information that contradicted the provided
>> justification
>> > was presented, so I don't see what argument was required.
>> >
>> > > In the future, if Mozilla has already made up its mind and is not
>> > > interested in hearing back from the community, it might be better NOT
>> to
>> > > start a discussion on the list soliciting feedback.
>> >
>> > Soliciting feedback and hearing back from the community does not require
>> > response from Mozilla, merely reading.  Do you have any evidence that
>> > Mozilla staff did not, in fact, read the feedback that was given?
>> >
>>
>> If you are representing yourselves as having an open process, the lack of
>> response on the list does undermine that claim. The lack of interaction on
>> that particular topic actually speaks volumes.
>>
>> Both parties in Congress have already signalled that they intend to go
>> after 'big tech'. Security is an obvious issue to focus on. While it is
>> unlikely Mozilla will be a target of those discussions, Google certainly
>> is
>> and one employee in particular.
>>
>> This is the point at which the smart people are going to lawyer up.
>> ___
>> dev-security-policy mailing list
>> dev-security-policy@lists.mozilla.org
>> https://lists.mozilla.org/listinfo/dev-security-policy
>>
>
>
> --
> Eric Mill
> 617-314-0966 | konklone.com | @konklone 
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Firefox removes UI for site identity

[Eric Mill via dev-security-policy]

Phillip, that was an unprofessional contribution to this list, that could
be read as a legal threat, and could contribute to suppressing dialogue
within this community. And, given that the employee to which it is clear
you are referring is not only a respected community member, but literally a
peer of the Mozilla Root Program, it is particularly unhelpful to Mozilla's
basic operations.

On Wed, Oct 23, 2019 at 10:33 AM Phillip Hallam-Baker via
dev-security-policy  wrote:

> On Tue, Oct 22, 2019 at 7:49 PM Matt Palmer via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
> > On Tue, Oct 22, 2019 at 03:35:52PM -0700, Kirk Hall via
> > dev-security-policy wrote:
> > > I also have a question for Mozilla on the removal of the EV UI.
> >
> > This is a mischaracterisation.  The EV UI has not been removed, it has
> been
> > moved to a new location.
> >
> > > So my question to Mozilla is, why did Mozilla post this as a subject on
> > > the mozilla.dev.security.policy list if it didn't plan to interact with
> > > members of the community who took the time to post responses?
> >
> > What leads you to believe that Mozilla didn't plan to interact with
> members
> > of the community?  It is entirely plausible that if any useful responses
> > that warranted interaction were made, interaction would have occurred.
> >
> > I don't believe that Mozilla is obliged to respond to people who have
> > nothing useful to contribute, and who don't accurately describe the
> change
> > being made.
> >
> > > This issue started with a posting by Mozilla on August 12, but despite
> > 237
> > > subsequent postings from many members of the Mozilla community, I don't
> > > think Mozilla staff ever responded to anything or anyone - not to
> explain
> > > or justify the decision, not to argue.  Just silence.
> >
> > I think the decision was explained and justified in the initial
> > announcement.  No information that contradicted the provided
> justification
> > was presented, so I don't see what argument was required.
> >
> > > In the future, if Mozilla has already made up its mind and is not
> > > interested in hearing back from the community, it might be better NOT
> to
> > > start a discussion on the list soliciting feedback.
> >
> > Soliciting feedback and hearing back from the community does not require
> > response from Mozilla, merely reading.  Do you have any evidence that
> > Mozilla staff did not, in fact, read the feedback that was given?
> >
>
> If you are representing yourselves as having an open process, the lack of
> response on the list does undermine that claim. The lack of interaction on
> that particular topic actually speaks volumes.
>
> Both parties in Congress have already signalled that they intend to go
> after 'big tech'. Security is an obvious issue to focus on. While it is
> unlikely Mozilla will be a target of those discussions, Google certainly is
> and one employee in particular.
>
> This is the point at which the smart people are going to lawyer up.
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>


-- 
Eric Mill
617-314-0966 | konklone.com | @konklone 
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Firefox removes UI for site identity

[Daniel Marschall via dev-security-policy]

> On Tue, Oct 22, 2019 at 03:35:52PM -0700, Kirk Hall via dev-security-policy 
> wrote:
> 
> This is a mischaracterisation.  The EV UI has not been removed, it has been
> moved to a new location.
> 

That's like, when I throw something away, I didn't actually threw it away, I 
just moved it to a new location (the bin).
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Firefox removes UI for site identity

[Paul Walsh via dev-security-policy]

On Oct 22, 2019, at 4:49 PM, Matt Palmer via dev-security-policy 
 wrote:
> 
> On Tue, Oct 22, 2019 at 03:35:52PM -0700, Kirk Hall via dev-security-policy 
> wrote:
>> I also have a question for Mozilla on the removal of the EV UI.
> 
> This is a mischaracterisation.  The EV UI has not been removed, it has been
> moved to a new location.

[PW] Technically, I think you are both correct Matt. Please allow me to provide 
an analogy to explain why I say "removed" instead of "moved".

If an owner puts up a sign in their store window that says “we have moved to…” 
customers will know they have “moved". But if the owner vacates the premises 
without notice, customers will naturally assume it has closed down (i.e. 
removed). A few might go looking for them. But most won’t. 

I personally use the term “removed” because Mozilla hasn’t actually signposted 
the changes anywhere. The original UI and UX was poor, which is why most people 
don’t know the difference between EV and DV icons. Instead of making it better, 
they made it much worse. 

The team didn’t even include the update in the release notes until I brought it 
to their attention. Even then it’s not in plain English - using the term “EV” 
instead of "website identity” just shows how badly they have always 
communicated the meaning of the UI to consumers. But what’s the point in 
debating that. The horse has bolted. 

Mozilla did however, take great care in educating users about the new tracking 
features and new UI. This only helps to demonstrate that it’s possible to 
educate users about a new feature or UI implementation for identity. But again, 
I digress. So we’ll just keep this as a receipt to prove that browser vendors 
believe it’s possible to train users to look for new visual indicators - 
contrary to what they say about identity information. 

> 
>> So my question to Mozilla is, why did Mozilla post this as a subject on
>> the mozilla.dev.security.policy list if it didn't plan to interact with
>> members of the community who took the time to post responses?
> 
> What leads you to believe that Mozilla didn't plan to interact with members
> of the community?  It is entirely plausible that if any useful responses
> that warranted interaction were made, interaction would have occurred.
> 
> I don't believe that Mozilla is obliged to respond to people who have
> nothing useful to contribute, and who don't accurately describe the change
> being made.

[PW] I agree and disagree. I agree, because Mozilla is not obliged to do 
anything it doesn’t want to do. It’s not obliged to engage with the community. 
It’s not obliged to engage with anyone it doesn’t want to. 

I disagree because no company, especially an open source, community driven 
foundation, should make changes that upset important stakeholders. Aside from 
the bad karma, it is poor product management. Perhaps the lack of community 
engagement in recent times is part of the reason for losing market share? Who 
knows. Either way it can be made better. I personally love the brand and what 
it stands for.

> 
>> This issue started with a posting by Mozilla on August 12, but despite 237
>> subsequent postings from many members of the Mozilla community, I don't
>> think Mozilla staff ever responded to anything or anyone - not to explain
>> or justify the decision, not to argue.  Just silence.
> 
> I think the decision was explained and justified in the initial
> announcement.  No information that contradicted the provided justification
> was presented, so I don't see what argument was required.

[PW] This is not a good way to build a product. I and many others called 
Mozilla out for making poor decisions around it’s OS and mobile browser 
strategies (lack of). So it’s possible for browser vendors to get big things 
very wrong. 

> 
>> In the future, if Mozilla has already made up its mind and is not
>> interested in hearing back from the community, it might be better NOT to
>> start a discussion on the list soliciting feedback.
> 
> Soliciting feedback and hearing back from the community does not require
> response from Mozilla, merely reading.  Do you have any evidence that
> Mozilla staff did not, in fact, read the feedback that was given?

[PW] If true, this is no longer the Mozilla that my team contributed to. As one 
of the first 50 contributors to Mozilla, my COO helped to build the Firefox 
developer evangelist community and he built spreadfirefox .com - my engineers 
contributed to Firefox code too. I don’t ever recall witnessing anyone use the 
words you chose to describe how the team should behave. Perhaps your words 
reflect current thinking… 

- Paul

> 
> - Matt
> 
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/

Re: Firefox removes UI for site identity

[Jakob Bohm via dev-security-policy]

On 23/10/2019 01:49, Matt Palmer wrote:

On Tue, Oct 22, 2019 at 03:35:52PM -0700, Kirk Hall via dev-security-policy 
wrote:

I also have a question for Mozilla on the removal of the EV UI.


This is a mischaracterisation.  The EV UI has not been removed, it has been
moved to a new location.



It was moved entirely off screen, and replaced with very subtle
differences in the contents of a pop-up.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Firefox removes UI for site identity

[Phillip Hallam-Baker via dev-security-policy]

On Tue, Oct 22, 2019 at 7:49 PM Matt Palmer via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> On Tue, Oct 22, 2019 at 03:35:52PM -0700, Kirk Hall via
> dev-security-policy wrote:
> > I also have a question for Mozilla on the removal of the EV UI.
>
> This is a mischaracterisation.  The EV UI has not been removed, it has been
> moved to a new location.
>
> > So my question to Mozilla is, why did Mozilla post this as a subject on
> > the mozilla.dev.security.policy list if it didn't plan to interact with
> > members of the community who took the time to post responses?
>
> What leads you to believe that Mozilla didn't plan to interact with members
> of the community?  It is entirely plausible that if any useful responses
> that warranted interaction were made, interaction would have occurred.
>
> I don't believe that Mozilla is obliged to respond to people who have
> nothing useful to contribute, and who don't accurately describe the change
> being made.
>
> > This issue started with a posting by Mozilla on August 12, but despite
> 237
> > subsequent postings from many members of the Mozilla community, I don't
> > think Mozilla staff ever responded to anything or anyone - not to explain
> > or justify the decision, not to argue.  Just silence.
>
> I think the decision was explained and justified in the initial
> announcement.  No information that contradicted the provided justification
> was presented, so I don't see what argument was required.
>
> > In the future, if Mozilla has already made up its mind and is not
> > interested in hearing back from the community, it might be better NOT to
> > start a discussion on the list soliciting feedback.
>
> Soliciting feedback and hearing back from the community does not require
> response from Mozilla, merely reading.  Do you have any evidence that
> Mozilla staff did not, in fact, read the feedback that was given?
>

If you are representing yourselves as having an open process, the lack of
response on the list does undermine that claim. The lack of interaction on
that particular topic actually speaks volumes.

Both parties in Congress have already signalled that they intend to go
after 'big tech'. Security is an obvious issue to focus on. While it is
unlikely Mozilla will be a target of those discussions, Google certainly is
and one employee in particular.

This is the point at which the smart people are going to lawyer up.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Firefox removes UI for site identity

[Wayne Thayer via dev-security-policy]

The primary purpose of forwarding the Intent to Ship email to this list was
to inform the community of this planned change and the reasoning behind it.
Mozilla considered lots of information prior to announcing the change, and
during the vigorous debate that ensued, we continued to listen without
taking sides. In the end, the discussion and information presented did not
compel us to change our decision.

On Tue, Oct 22, 2019 at 4:49 PM Matt Palmer via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> On Tue, Oct 22, 2019 at 03:35:52PM -0700, Kirk Hall via
> dev-security-policy wrote:
> > I also have a question for Mozilla on the removal of the EV UI.
>
> This is a mischaracterisation.  The EV UI has not been removed, it has been
> moved to a new location.
>
> > So my question to Mozilla is, why did Mozilla post this as a subject on
> > the mozilla.dev.security.policy list if it didn't plan to interact with
> > members of the community who took the time to post responses?
>
> What leads you to believe that Mozilla didn't plan to interact with members
> of the community?  It is entirely plausible that if any useful responses
> that warranted interaction were made, interaction would have occurred.
>
> I don't believe that Mozilla is obliged to respond to people who have
> nothing useful to contribute, and who don't accurately describe the change
> being made.
>
> > This issue started with a posting by Mozilla on August 12, but despite
> 237
> > subsequent postings from many members of the Mozilla community, I don't
> > think Mozilla staff ever responded to anything or anyone - not to explain
> > or justify the decision, not to argue.  Just silence.
>
> I think the decision was explained and justified in the initial
> announcement.  No information that contradicted the provided justification
> was presented, so I don't see what argument was required.
>
> > In the future, if Mozilla has already made up its mind and is not
> > interested in hearing back from the community, it might be better NOT to
> > start a discussion on the list soliciting feedback.
>
> Soliciting feedback and hearing back from the community does not require
> response from Mozilla, merely reading.  Do you have any evidence that
> Mozilla staff did not, in fact, read the feedback that was given?
>
> - Matt
>
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Firefox removes UI for site identity

[Matt Palmer via dev-security-policy]

On Tue, Oct 22, 2019 at 03:35:52PM -0700, Kirk Hall via dev-security-policy 
wrote:
> I also have a question for Mozilla on the removal of the EV UI.

This is a mischaracterisation.  The EV UI has not been removed, it has been
moved to a new location.

> So my question to Mozilla is, why did Mozilla post this as a subject on
> the mozilla.dev.security.policy list if it didn't plan to interact with
> members of the community who took the time to post responses?

What leads you to believe that Mozilla didn't plan to interact with members
of the community?  It is entirely plausible that if any useful responses
that warranted interaction were made, interaction would have occurred.

I don't believe that Mozilla is obliged to respond to people who have
nothing useful to contribute, and who don't accurately describe the change
being made.

> This issue started with a posting by Mozilla on August 12, but despite 237
> subsequent postings from many members of the Mozilla community, I don't
> think Mozilla staff ever responded to anything or anyone - not to explain
> or justify the decision, not to argue.  Just silence.

I think the decision was explained and justified in the initial
announcement.  No information that contradicted the provided justification
was presented, so I don't see what argument was required.

> In the future, if Mozilla has already made up its mind and is not
> interested in hearing back from the community, it might be better NOT to
> start a discussion on the list soliciting feedback.

Soliciting feedback and hearing back from the community does not require
response from Mozilla, merely reading.  Do you have any evidence that
Mozilla staff did not, in fact, read the feedback that was given?

- Matt

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Firefox removes UI for site identity

[Wayne Thayer via dev-security-policy]

On Tue, Oct 22, 2019 at 1:38 PM Paul Walsh via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> Thanks Johann. Much appreciated. Would you be kind enough to email me a
> screen shot to save me the trouble of installing an older version and then
> waiting for an update? :)
>
>
You can find the (now updated) release notes at
https://www.mozilla.org/en-US/firefox/70.0/releasenotes/

- Wayne
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Firefox removes UI for site identity

[Kirk Hall via dev-security-policy]

I also have a question for Mozilla on the removal of the EV UI.  This issue 
started with a posting by Mozilla on August 12, but despite 237 subsequent 
postings from many members of the Mozilla community, I don't think Mozilla 
staff ever responded to anything or anyone - not to explain or justify the 
decision, not to argue.  Just silence.

So my question to Mozilla is, why did Mozilla post this as a subject on the 
mozilla.dev.security.policy list if it didn't plan to interact with members of 
the community who took the time to post responses?

In the future, if Mozilla has already made up its mind and is not interested in 
hearing back from the community, it might be better NOT to start a discussion 
on the list soliciting feedback.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Firefox removes UI for site identity

[Paul Walsh via dev-security-policy]

Thanks Johann. Much appreciated. Would you be kind enough to email me a screen 
shot to save me the trouble of installing an older version and then waiting for 
an update? :)

Thanks,
- Paul


> On Oct 22, 2019, at 1:29 PM, Johann Hofmann  wrote:
> 
> Hi Paul,
> 
> thanks for the heads up. This wasn't intentional and I've reached out to get 
> the security UI changes added to the release notes for 70. You're right that 
> this is significant enough to be included. The page should be updated very 
> soon, so that most users will see the new version (due to throttled rollouts 
> and a general delay in users updating).
> 
> Cheers,
> 
> Johann
> 
> On Tue, Oct 22, 2019 at 9:06 PM Paul Walsh via dev-security-policy 
>  > wrote:
> Directly question for Mozilla. 
> 
> Today, the website identity UI was removed from Firefox. “We" new it was 
> coming. But millions of users didn’t. 
> 
> Why wasn’t this mentioned in the release notes on the page that’s 
> automatically opened following the update? 
> 
> Someone might say “they didn’t know it was there anyway”. While this is true 
> for the vast majority, it doesn’t answer my question. And it’s not 100% 
> accurate for every user of Firefox. 
> 
> It’s significant enough to warrant being mentioned in my opinion. And a blog 
> post doesn’t count. 
> 
> Thanks,
> - Paul
> 
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org 
> 
> https://lists.mozilla.org/listinfo/dev-security-policy 
> 

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Firefox removes UI for site identity

[Johann Hofmann via dev-security-policy]

Hi Paul,

thanks for the heads up. This wasn't intentional and I've reached out to
get the security UI changes added to the release notes for 70. You're right
that this is significant enough to be included. The page should be updated
very soon, so that most users will see the new version (due to throttled
rollouts and a general delay in users updating).

Cheers,

Johann

On Tue, Oct 22, 2019 at 9:06 PM Paul Walsh via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> Directly question for Mozilla.
>
> Today, the website identity UI was removed from Firefox. “We" new it was
> coming. But millions of users didn’t.
>
> Why wasn’t this mentioned in the release notes on the page that’s
> automatically opened following the update?
>
> Someone might say “they didn’t know it was there anyway”. While this is
> true for the vast majority, it doesn’t answer my question. And it’s not
> 100% accurate for every user of Firefox.
>
> It’s significant enough to warrant being mentioned in my opinion. And a
> blog post doesn’t count.
>
> Thanks,
> - Paul
>
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy