Re: Website owner survey data on identity, browser UIs, and the EV UI

> On Oct 9, 2019, at 4:21 PM, Ronald Crane via dev-security-policy > wrote: > > On 10/9/2019 3:17 PM, Paul Walsh wrote: >>> On Oct 9, 2019, at 3:06 PM, Ronald Crane via dev-security-policy >>> wrote: >>> >>> On 10/9/2019 2:24 PM, Paul Walsh via dev-security-policy wrote: >>> it

Re: [FORGED] Re: Website owner survey data on identity, browser UIs, and the EV UI

> On Oct 9, 2019, at 4:19 PM, Peter Gutmann wrote: > > Paul Walsh via dev-security-policy > writes: > >> The data suggests that automatically issued DV certs for free is a favorite >> for criminals. > > True, but that one's just an instance of Sutton's Law, they go for those > because

Re: Website owner survey data on identity, browser UIs, and the EV UI

On 10/9/2019 3:17 PM, Paul Walsh wrote: On Oct 9, 2019, at 3:06 PM, Ronald Crane via dev-security-policy wrote: On 10/9/2019 2:24 PM, Paul Walsh via dev-security-policy wrote: it indefinitely. [PW] Here’s the kink Ronald. I agree with you. Mozilla’s decision to implement DoH is going to

Re: Website owner survey data on identity, browser UIs, and the EV UI

On 10/8/2019 7:04 PM, Paul Walsh via dev-security-policy wrote: On Oct 2, 2019, at 3:41 PM, Ronald Crane via dev-security-policy wrote: On 10/2/2019 3:00 PM, Paul Walsh via dev-security-policy wrote: On Oct 2, 2019, at 2:52 PM, Ronald Crane via dev-security-policy wrote: [snip] Some

Re: Website owner survey data on identity, browser UIs, and the EV UI

On 10/9/2019 11:02 AM, Paul Walsh via dev-security-policy wrote: On Oct 9, 2019, at 10:42 AM, Ronald Crane via dev-security-policy wrote: On 10/2/2019 3:50 PM, Paul Walsh via dev-security-policy wrote: [snip] sɑlesforce[.com] is available for purchase right now. I was going to suggest

Re: Website owner survey data on identity, browser UIs, and the EV UI

> On Oct 9, 2019, at 10:42 AM, Ronald Crane via dev-security-policy > wrote: > > On 10/2/2019 3:50 PM, Paul Walsh via dev-security-policy wrote: > > [snip] sɑlesforce[.com] is available for purchase right now. >>> I was going to suggest banning non-Latin-glyph domains, since they are yet

Re: Website owner survey data on identity, browser UIs, and the EV UI

On Oct 9, 2019, at 7:30 AM, Leo Grove via dev-security-policy wrote: > > On Tuesday, October 8, 2019 at 10:36:19 PM UTC-5, Matt Palmer wrote: >> On Tue, Oct 08, 2019 at 07:16:59PM -0700, Paul Walsh via dev-security-policy >> wrote: >>> Why isn’t anyone’s head blowing up over the Let’s Encrypt

Re: Website owner survey data on identity, browser UIs, and the EV UI

On Tuesday, October 8, 2019 at 10:36:19 PM UTC-5, Matt Palmer wrote: > On Tue, Oct 08, 2019 at 07:16:59PM -0700, Paul Walsh via dev-security-policy > wrote: > > Why isn’t anyone’s head blowing up over the Let’s Encrypt stats? > > Because those stats don't show anything worth blowing up ones head

Re: Website owner survey data on identity, browser UIs, and the EV UI

On Tue, Oct 08, 2019 at 07:16:59PM -0700, Paul Walsh via dev-security-policy wrote: > Why isn’t anyone’s head blowing up over the Let’s Encrypt stats? Because those stats don't show anything worth blowing up ones head over. I don't see anything in them that indicates that those 14,000

Re: Website owner survey data on identity, browser UIs, and the EV UI

> On Oct 2, 2019, at 1:16 PM, Ronald Crane via dev-security-policy > wrote: > > On 10/1/2019 6:56 PM, Paul Walsh via dev-security-policy wrote: >> New tools such as Modlishka now automate phishing attacks, making it >> virtually impossible for any browser or security solution to detect -   >>

Re: Website owner survey data on identity, browser UIs, and the EV UI

> On Oct 2, 2019, at 3:41 PM, Ronald Crane via dev-security-policy > wrote: > > On 10/2/2019 3:00 PM, Paul Walsh via dev-security-policy wrote: >> On Oct 2, 2019, at 2:52 PM, Ronald Crane via dev-security-policy >> wrote: > [snip] >>> Some other changes that might help reduce phishing are:

Re: [FORGED] Website owner survey data on identity, browser UIs, and the EV UI

> On Oct 2, 2019, at 3:52 PM, Peter Gutmann wrote: > > Paul Walsh ​ writes: > >> I would like to see one research paper published by one browser vendor to >> show that website identity visual indicators can not work. > > Uhhh... are you serious with that request? You're asking for a study

Re: [FORGED] Website owner survey data on identity, browser UIs, and the EV UI

> On Oct 2, 2019, at 4:05 PM, Ronald Crane via dev-security-policy > wrote: > > On 10/2/2019 3:27 PM, Peter Gutmann wrote: >> Ronald Crane via dev-security-policy >> writes: >> >>> "Virtually impossible"? "Anyone"? Really? Those are big claims that need >>> real >>> data. >> How many

Re: Updated website owner survey data on identity, browser UIs, and the EV UI

I finally got around to digesting the email below. Summary/Reminder: CA related data on website identity from the perspective of website owners. As Homer Simpson said, "70% of all reports are made up”. So, everything put forward by me in previous messages, or anyone else, must be taken with a

Re: [FORGED] Re: Website owner survey data on identity, browser UIs, and the EV UI

On 10/3/2019 8:44 PM, Matt Palmer via dev-security-policy wrote: On Thu, Oct 03, 2019 at 05:36:50PM -0700, Ronald Crane via dev-security-policy wrote: On 10/3/2019 2:09 PM, Ryan Sleevi via dev-security-policy wrote: [snip] I guess I wasn't specific enough. I am looking for a good study that

Re: Re: [FORGED] Re: Website owner survey data on identity, browser UIs, and the EV UI

On Thu, Oct 03, 2019 at 05:36:50PM -0700, Ronald Crane via dev-security-policy wrote: > > On 10/3/2019 2:09 PM, Ryan Sleevi via dev-security-policy wrote: > > [snip] > > > I guess I wasn't specific enough. I am looking for a good study that > > > supports the proposition that the Internet

Re: [FORGED] Re: [FORGED] Re: Website owner survey data on identity, browser UIs, and the EV UI

On 10/3/2019 2:09 PM, Ryan Sleevi via dev-security-policy wrote: [snip] I guess I wasn't specific enough. I am looking for a good study that supports the proposition that the Internet community has (1) made a concerted effort to ensure that there is only one authentic domain per entity (or, at

Re: [FORGED] Re: [FORGED] Re: Website owner survey data on identity, browser UIs, and the EV UI

On Thu, Oct 3, 2019 at 3:45 PM Ronald Crane via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 10/2/2019 9:44 PM, Peter Gutmann via dev-security-policy wrote: > > Ronald Crane via dev-security-policy < > dev-security-policy@lists.mozilla.org> writes: > > > >> Please cite

Re: [FORGED] Re: [FORGED] Re: Website owner survey data on identity, browser UIs, and the EV UI

On 10/2/2019 9:44 PM, Peter Gutmann via dev-security-policy wrote: Ronald Crane via dev-security-policy writes: Please cite the best study you know about on this topic (BTW, I am *not* snidely implying that there isn't one). Sure, gimme a day or two since I'm away at the moment.

Re: [FORGED] Re: [FORGED] Re: Website owner survey data on identity, browser UIs, and the EV UI

Ronald Crane via dev-security-policy writes: >Please cite the best study you know about on this topic (BTW, I am *not* >snidely >implying that there isn't one). Sure, gimme a day or two since I'm away at the moment. Alternatively, there's been such a vast amount of work done on this that a

Updated website owner survey data on identity, browser UIs, and the EV UI

On September 21, I sent a message to the Mozilla community with the results of a survey of all of Entrust Datacard’s customers (both those who use EV certificates, and those who don’t) concerning what they think about website identity in browsers, browser UIs in general, and EV browser UIs in

Re: [FORGED] Re: Website owner survey data on identity, browser UIs, and the EV UI

On 10/2/2019 3:27 PM, Peter Gutmann wrote: Ronald Crane via dev-security-policy writes: "Virtually impossible"? "Anyone"? Really? Those are big claims that need real data. How many references to research papers would you like? Would a dozen do, or do you want two dozen? One well-done

Re: Website owner survey data on identity, browser UIs, and the EV UI

> On Oct 2, 2019, at 3:41 PM, Ronald Crane via dev-security-policy > wrote: > > On 10/2/2019 3:00 PM, Paul Walsh via dev-security-policy wrote: >> On Oct 2, 2019, at 2:52 PM, Ronald Crane via dev-security-policy >> wrote: > [snip] >>> Some other changes that might help reduce phishing are:

Re: [FORGED] Re: Website owner survey data on identity, browser UIs, and the EV UI

> On Oct 2, 2019, at 3:27 PM, Peter Gutmann via dev-security-policy > wrote: > > Ronald Crane via dev-security-policy > writes: > >> "Virtually impossible"? "Anyone"? Really? Those are big claims that need real >> data. > > How many references to research papers would you like? Would a

Re: Website owner survey data on identity, browser UIs, and the EV UI

> On Oct 2, 2019, at 3:20 PM, Kurt Roeckx wrote: > > On Wed, Oct 02, 2019 at 03:17:31PM -0700, Paul Walsh wrote: In separate research, CAs have shown data to demonstrate that website owners want to have their identity verified. >>> >>> They have not. In fact, I would say that most

Re: Website owner survey data on identity, browser UIs, and the EV UI

> On Oct 2, 2019, at 3:18 PM, Ronald Crane via dev-security-policy > wrote: > > > On 10/2/2019 2:47 PM, Paul Walsh via dev-security-policy wrote: >> On Oct 2, 2019, at 1:16 PM, Ronald Crane via dev-security-policy >> wrote: >>> On 10/1/2019 6:56 PM, Paul Walsh via dev-security-policy wrote:

Re: Website owner survey data on identity, browser UIs, and the EV UI

On Wed, Oct 02, 2019 at 03:17:31PM -0700, Paul Walsh wrote: > >> In separate research, CAs have shown data to demonstrate that website > >> owners want to have their identity verified. > > > > They have not. In fact, I would say that most website owners are perfectly > > happy with DV

Re: Website owner survey data on identity, browser UIs, and the EV UI

> On Oct 2, 2019, at 3:11 PM, Kurt Roeckx wrote: > > On Wed, Oct 02, 2019 at 02:48:56PM -0700, Paul Walsh wrote: >> On Oct 2, 2019, at 12:52 AM, Kurt Roeckx via dev-security-policy >> wrote: >>> >>> On 2019-10-02 09:20, Kurt Roeckx wrote: On 2019-10-02 02:39, Paul Walsh wrote: >

Re: Website owner survey data on identity, browser UIs, and the EV UI

On 10/2/2019 2:47 PM, Paul Walsh via dev-security-policy wrote: On Oct 2, 2019, at 1:16 PM, Ronald Crane via dev-security-policy wrote: On 10/1/2019 6:56 PM, Paul Walsh via dev-security-policy wrote: New tools such as Modlishka now automate phishing attacks, making it virtually impossible

Re: Website owner survey data on identity, browser UIs, and the EV UI

On Wed, Oct 02, 2019 at 02:48:56PM -0700, Paul Walsh wrote: > On Oct 2, 2019, at 12:52 AM, Kurt Roeckx via dev-security-policy > wrote: > > > > On 2019-10-02 09:20, Kurt Roeckx wrote: > >> On 2019-10-02 02:39, Paul Walsh wrote: > >>> > >>> According to Ellis, the goal for a customer survey is

Re: Website owner survey data on identity, browser UIs, and the EV UI

On Oct 2, 2019, at 2:52 PM, Ronald Crane via dev-security-policy wrote: > > On 10/2/2019 1:16 PM, Ronald Crane via dev-security-policy wrote: >> On 10/1/2019 6:56 PM, Paul Walsh via dev-security-policy wrote: >>> New tools such as Modlishka now automate phishing attacks, making it >>>

Re: Website owner survey data on identity, browser UIs, and the EV UI

On Oct 2, 2019, at 12:52 AM, Kurt Roeckx via dev-security-policy wrote: > > On 2019-10-02 09:20, Kurt Roeckx wrote: >> On 2019-10-02 02:39, Paul Walsh wrote: >>> >>> According to Ellis, the goal for a customer survey is to get feedback from >>> people who had recently experienced "real usage"

Re: Website owner survey data on identity, browser UIs, and the EV UI

On Oct 2, 2019, at 1:16 PM, Ronald Crane via dev-security-policy wrote: > > On 10/1/2019 6:56 PM, Paul Walsh via dev-security-policy wrote: >> New tools such as Modlishka now automate phishing attacks, making it >> virtually impossible for any browser or security solution to detect -   >>

Re: Website owner survey data on identity, browser UIs, and the EV UI

On 10/1/2019 6:56 PM, Paul Walsh via dev-security-policy wrote: New tools such as Modlishka now automate phishing attacks, making it virtually impossible for any browser or security solution to detect -  bypassing 2FA. Google has admitted that it’s unable to detect these phishing scams as they

Re: Website owner survey data on identity, browser UIs, and the EV UI

On 2019-10-02 09:20, Kurt Roeckx wrote: On 2019-10-02 02:39, Paul Walsh wrote: According to Ellis, the goal for a customer survey is to get feedback from people who had recently experienced "real usage" of the product. The key question in the survey for these people according to Ellis, is:

Re: Website owner survey data on identity, browser UIs, and the EV UI

On 2019-10-02 02:39, Paul Walsh wrote: According to Ellis, the goal for a customer survey is to get feedback from people who had recently experienced "real usage" of the product. The key question in the survey for these people according to Ellis, is: "How would you feel if you could no

Re: Website owner survey data on identity, browser UIs, and the EV UI

On Sunday, September 22, 2019 at 7:49:14 AM UTC-7, Gijs Kruitbosch wrote: [snip] > On 22/09/2019 00:52, Kirk Hall wrote: > > (1) *97%* of respondents agreed or strongly agreed with the statement: > > "Customers / users have the right to know which organization is running a > > website if the

Re: Website owner survey data on identity, browser UIs, and the EV UI

On Saturday, September 21, 2019 at 6:19:29 PM UTC-7, Ryan Sleevi wrote: > On Sat, Sep 21, 2019 at 7:52 PM Kirk Hall via dev-security-policy < > dev-security-policy@lists.mozilla.org > > wrote: > >> To remedy this, Entrust Datacard surveyed all of

Re: Website owner survey data on identity, browser UIs, and the EV UI

Kirk Hall via dev-security-policy writes: >To remedy this, Entrust Datacard surveyed all of its TLS/SSL web server >certificate customers And what a marvellously disingenous "survey" it is too, artfully constructed to produce exactly the result the CA's marketing department wants. Mixed in

Re: Website owner survey data on identity, browser UIs, and the EV UI

(For the avoidance of doubt, although I work for Mozilla, as noted on the wiki I post in a personal capacity) In addition to Ryan's excellent points, I wanted to briefly point out a few things related to your survey: On 22/09/2019 00:52, Kirk Hall wrote: (1) *97%* of respondents agreed or

Re: Website owner survey data on identity, browser UIs, and the EV UI

Kirk, may I remind you that Ryan Sleevi is posting in personal capacity here, as is the default on m.d.s.p unless otherwise specified. So please do not drag his employer into this discussion. Ryan SleeviPeer of the CA Certificates Module ;

Re: Website owner survey data on identity, browser UIs, and the EV UI

On Saturday, September 21, 2019 at 6:19:29 PM UTC-7, Ryan Sleevi wrote: > On Sat, Sep 21, 2019 at 7:52 PM Kirk Hall via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > To remedy this, Entrust Datacard surveyed all of its TLS/SSL web server > > certificate customers

Re: Website owner survey data on identity, browser UIs, and the EV UI

On Sat, Sep 21, 2019 at 7:52 PM Kirk Hall via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > To remedy this, Entrust Datacard surveyed all of its TLS/SSL web server > certificate customers over three days (19-21 September 2019) concerning > website identity in browsers,

Website owner survey data on identity, browser UIs, and the EV UI

The Mozilla community seeks broad input before important security decisions like changing the Firefox UI, but it almost never receives any input from one important group – website owners themselves. To remedy this, Entrust Datacard surveyed all of its TLS/SSL web server certificate customers