Re: Website owner survey data on identity, browser UIs, and the EV UI

On Saturday, September 21, 2019 at 6:19:29 PM UTC-7, Ryan Sleevi wrote: > On Sat, Sep 21, 2019 at 7:52 PM Kirk Hall via dev-security-policy < > dev-security-policy@lists.mozilla.org > > wrote: > >> To remedy this, Entrust Datacard surveyed all of

Re: Website owner survey data on identity, browser UIs, and the EV UI

On Sunday, September 22, 2019 at 7:49:14 AM UTC-7, Gijs Kruitbosch wrote: [snip] > On 22/09/2019 00:52, Kirk Hall wrote: > > (1) *97%* of respondents agreed or strongly agreed with the statement: > > "Customers / users have the right to know which organization is running a > > website if the

Re: Website owner survey data on identity, browser UIs, and the EV UI

On Oct 2, 2019, at 1:16 PM, Ronald Crane via dev-security-policy wrote: > > On 10/1/2019 6:56 PM, Paul Walsh via dev-security-policy wrote: >> New tools such as Modlishka now automate phishing attacks, making it >> virtually impossible for any browser or security

Re: Website owner survey data on identity, browser UIs, and the EV UI

> On Oct 2, 2019, at 3:20 PM, Kurt Roeckx wrote: > > On Wed, Oct 02, 2019 at 03:17:31PM -0700, Paul Walsh wrote: In separate research, CAs have shown data to demonstrate that website owners want to have their identity verified. >>> >>> They have not. In fact, I would say that most

Re: Website owner survey data on identity, browser UIs, and the EV UI

On Oct 2, 2019, at 12:52 AM, Kurt Roeckx via dev-security-policy wrote: > > On 2019-10-02 09:20, Kurt Roeckx wrote: >> On 2019-10-02 02:39, Paul Walsh wrote: >>> >>> According to Ellis, the goal for a customer survey is to get feedback from >>> people who had recently experienced "real usage"

Re: Website owner survey data on identity, browser UIs, and the EV UI

On Oct 2, 2019, at 2:52 PM, Ronald Crane via dev-security-policy wrote: > > On 10/2/2019 1:16 PM, Ronald Crane via dev-security-policy wrote: >> On 10/1/2019 6:56 PM, Paul Walsh via dev-security-policy wrote: >>> New tools such as Modlishka now automate phi

Re: Website owner survey data on identity, browser UIs, and the EV UI

> On Oct 2, 2019, at 3:11 PM, Kurt Roeckx wrote: > > On Wed, Oct 02, 2019 at 02:48:56PM -0700, Paul Walsh wrote: >> On Oct 2, 2019, at 12:52 AM, Kurt Roeckx via dev-security-policy >> wrote: >>> >>> On 2019-10-02 09:20, Kurt Roeckx wrote: On 2019-10-02 02:39, Paul Walsh wrote: >

Re: Website owner survey data on identity, browser UIs, and the EV UI

> On Oct 2, 2019, at 3:18 PM, Ronald Crane via dev-security-policy > wrote: > > > On 10/2/2019 2:47 PM, Paul Walsh via dev-security-policy wrote: >> On Oct 2, 2019, at 1:16 PM, Ronald Crane via dev-security-policy >> wrote: >>> On 10/1/2019 6:56 PM, Paul

Re: [FORGED] Re: Website owner survey data on identity, browser UIs, and the EV UI

> On Oct 2, 2019, at 3:27 PM, Peter Gutmann via dev-security-policy > wrote: > > Ronald Crane via dev-security-policy > writes: > >> "Virtually impossible"? "Anyone"? Really? Those are big claims that need real >> data. > > How many references to research papers would you like? Would a

Re: Website owner survey data on identity, browser UIs, and the EV UI

> On Oct 2, 2019, at 3:41 PM, Ronald Crane via dev-security-policy > wrote: > > On 10/2/2019 3:00 PM, Paul Walsh via dev-security-policy wrote: >> On Oct 2, 2019, at 2:52 PM, Ronald Crane via dev-security-policy >> wrote: > [snip] >>> Some other cha

Re: Firefox removes UI for site identity

> On Oct 24, 2019, at 2:59 PM, Julien Vehent via dev-security-policy > wrote: > > On Thursday, October 24, 2019 at 5:31:59 PM UTC-4, Paul Walsh wrote: >> There is zero data from any company to prove that browser UI for website >> identity can’t work. > >

Re: Firefox removes UI for site identity

On Oct 24, 2019, at 12:36 PM, Phillip Hallam-Baker via dev-security-policy wrote: > > Eric, > > I am not going to be gaslighted here. > > Just what was your email supposed to do other than "suppressing dialogue > within this community"? > > I was making no threat, but if I was still working

Re: [FORGED] Re: Firefox removes UI for site identity

> On Oct 24, 2019, at 6:53 PM, Peter Gutmann wrote: > > Paul Walsh via dev-security-policy > writes: > >> we conducted the same research with 85,000 active users over a period of >> 12 months > > As I've already pointed out weeks ago when you first raised

Re: [FORGED] Re: Firefox removes UI for site identity

On Oct 24, 2019, at 6:53 PM, Peter Gutmann wrote: >> >> Paul Walsh via dev-security-policy >> writes: >> >>> we conducted the same research with 85,000 active users over a period of >>> 12 months >> >> As I've already pointed out weeks a

Re: [FORGED] Firefox removes UI for site identity

> On Oct 28, 2019, at 2:12 PM, James Burton wrote: > > [PW] Phil knows more about the intent so I’ll defer to his response at the > end of this thread. I would like to add that computer screens bigger than > mobile devices aren’t going away. So focusing only on mobile isn’t a good > idea. >

Re: [FORGED] Firefox removes UI for site identity

On Oct 25, 2019, at 7:56 AM, Phillip Hallam-Baker wrote: > > > > On Fri, Oct 25, 2019 at 4:21 AM James Burton > wrote: > Extended validation was introduced at a time when mostly everyone browsed the > internet using low/medium resolution large screen devices that

Re: [FORGED] Firefox removes UI for site identity

> On Oct 28, 2019, at 3:39 PM, Wayne Thayer wrote: > > Hi Paul, > > On Mon, Oct 28, 2019 at 2:41 PM Paul Walsh via dev-security-policy > <mailto:dev-security-policy@lists.mozilla.org>> wrote: > > [PW] So you dislike Mozilla’s implementation for the tracker

Re: [FORGED] Firefox removes UI for site identity

taken from a competitor with links to their work. If you disagree with my conclusions, say so. But throwing insults is hardly adding value, is it? - Paul > > Thank you > > Burton > > On Tue, Oct 29, 2019 at 5:55 PM Paul Walsh via dev-security-policy > <mailto:dev-

Re: [FORGED] Firefox removes UI for site identity

Hi Nick, > On Oct 29, 2019, at 7:07 AM, Nick Lamb wrote: > > On Mon, 28 Oct 2019 16:19:30 -0700 > Paul Walsh via dev-security-policy > wrote: >> If you believe the visual indicator has little or no value why did >> you add it? > > The EV indication dates

Re: [FORGED] Firefox removes UI for site identity

competitor with links to their work. If you > disagree with my conclusions, say so. But throwing insults is hardly adding > value, is it? > > - Paul > >> >> Thank you >> >> Burton >> >> On Tue, Oct 29, 2019 at 5:55 PM Paul Walsh via dev-security-policy >

Re: [FORGED] Firefox removes UI for site identity

If you > disagree with my conclusions, say so. But throwing insults is hardly adding > value, is it? > > - Paul > >> >> Thank you >> >> Burton >> >> On Tue, Oct 29, 2019 at 5:55 PM Paul Walsh via dev-security-policy >> > <

Re: Firefox removes UI for site identity

ollouts > and a general delay in users updating). > > Cheers, > > Johann > > On Tue, Oct 22, 2019 at 9:06 PM Paul Walsh via dev-security-policy > <mailto:dev-security-policy@lists.mozilla.org>> wrote: > Directly question for Mozilla. > >

Re: Firefox removes UI for site identity

On Oct 22, 2019, at 4:49 PM, Matt Palmer via dev-security-policy wrote: > > On Tue, Oct 22, 2019 at 03:35:52PM -0700, Kirk Hall via dev-security-policy > wrote: >> I also have a question for Mozilla on the removal of the EV UI. > > This is a mischaracterisation. The EV UI has not been

Re: Germany's cyber-security agency [BSI] recommends Firefox as most secure browser

> On Oct 18, 2019, at 7:55 AM, scott.helme--- via dev-security-policy > wrote: > > >> I hope the Mozilla community will celebrate this honor, but will also >> reconsider its proposal to drop support for EV certificates – that would >> mean that Firefox no longer meets all BSI requirements

Re: [FORGED] Re: Germany's cyber-security agency [BSI] recommends Firefox as most secure browser

On Oct 18, 2019, at 6:31 PM, Peter Gutmann wrote: > > Paul Walsh via dev-security-policy > writes: > >> I have no evidence to prove what I’m about to say, but I *suspect* that the >> people at BSI specified “EV” over the use of other terms because of the >>

Re: [FORGED] Re: Germany's cyber-security agency [BSI] recommends Firefox as most secure browser

On Oct 18, 2019, at 6:39 PM, Peter Bowen wrote: > >  >> On Fri, Oct 18, 2019 at 6:31 PM Peter Gutmann via dev-security-policy >> wrote: > >> Paul Walsh via dev-security-policy >> writes: >> >> >I have no evidence to prove what I’m about to

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

/casecurity.org/2019/10/10/the-insecure-elephant-in-the-room/ <https://casecurity.org/2019/10/10/the-insecure-elephant-in-the-room/> Thanks, - Paul > > -R > > On 10/14/2019 11:10 AM, Paul Walsh via dev-security-policy wrote: >> I have two questions Ronald: >> >&

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

; On 10/14/2019 11:10 AM, Paul Walsh via dev-security-policy wrote: >> I have two questions Ronald: >> >> 1. What should I look for? I just see a DV cert from Let’s Encrypt. >> >> 2. Why did you message the entire community about whatever it is you’ve >>

Firefox removes UI for site identity

Directly question for Mozilla. Today, the website identity UI was removed from Firefox. “We" new it was coming. But millions of users didn’t. Why wasn’t this mentioned in the release notes on the page that’s automatically opened following the update? Someone might say “they didn’t know it

Re: Website owner survey data on identity, browser UIs, and the EV UI

> On Oct 9, 2019, at 4:21 PM, Ronald Crane via dev-security-policy > wrote: > > On 10/9/2019 3:17 PM, Paul Walsh wrote: >>> On Oct 9, 2019, at 3:06 PM, Ronald Crane via dev-security-policy >>> wrote: >>> >>> On 10/9/2019 2

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

ote: > > > >> On Oct 9, 2019, at 3:23 PM, Ryan Sleevi > <mailto:r...@sleevi.com>> wrote: >> >> >> >> On Wed, Oct 9, 2019 at 6:06 PM Paul Walsh via dev-security-policy >> > <mailto:dev-security-policy@lists.mozilla.org>> w

Re: [FORGED] Re: Website owner survey data on identity, browser UIs, and the EV UI

> On Oct 9, 2019, at 4:19 PM, Peter Gutmann wrote: > > Paul Walsh via dev-security-policy > writes: > >> The data suggests that automatically issued DV certs for free is a favorite >> for criminals. > > True, but that one's just an instance of Sutton's

Re: Mozilla Policy Requirements CA Incidents

Ryan, You just proved me right by saying I’m confused because I hold an opinion about how you conduct yourself when collaborating with industry stakeholders. My observations are the same across the board. I don’t think I’m confused. But you’re welcome to disagree with me. And, it’s not

Re: Mozilla Policy Requirements CA Incidents

> On Oct 8, 2019, at 12:51 PM, Matthew Hardeman wrote: > > > On Tue, Oct 8, 2019 at 2:10 PM Ryan Sleevi via dev-security-policy > > wrote: > On Tue, Oct 8, 2019 at 2:44 PM Paul Walsh > wrote: > > so we need better

Re: Mozilla Policy Requirements CA Incidents

I read Jeremy’s last response before posting my comment. Dear Ryan, It would help a great deal, if you tone down your constant insults towards the entire CA world. Questioning whether you should trust any CA is a bridge too far. Instead, why don’t you try to focus on specific issues with

Re: Mozilla Policy Requirements CA Incidents

> On Oct 8, 2019, at 12:44 PM, Ryan Sleevi wrote: > > Paul, [snip] > It does not seem you're interested in finding solutions for the issues, [PW] You are mixing things up Ryan. I am interested in finding solution to issues. I specifically kept my message on point, which was your tone and

Re: Updated website owner survey data on identity, browser UIs, and the EV UI

I finally got around to digesting the email below. Summary/Reminder: CA related data on website identity from the perspective of website owners. As Homer Simpson said, "70% of all reports are made up”. So, everything put forward by me in previous messages, or anyone else, must be taken with a

Re: [FORGED] Website owner survey data on identity, browser UIs, and the EV UI

> On Oct 2, 2019, at 3:52 PM, Peter Gutmann wrote: > > Paul Walsh ​ writes: > >> I would like to see one research paper published by one browser vendor to >> show that website identity visual indicators can not work. > > Uhhh... are you serious with that request? You're asking for a study

Re: Website owner survey data on identity, browser UIs, and the EV UI

> On Oct 2, 2019, at 1:16 PM, Ronald Crane via dev-security-policy > wrote: > > On 10/1/2019 6:56 PM, Paul Walsh via dev-security-policy wrote: >> New tools such as Modlishka now automate phishing attacks, making it >> virtually impossible for any browser or sec

Re: Website owner survey data on identity, browser UIs, and the EV UI

> On Oct 2, 2019, at 3:41 PM, Ronald Crane via dev-security-policy > wrote: > > On 10/2/2019 3:00 PM, Paul Walsh via dev-security-policy wrote: >> On Oct 2, 2019, at 2:52 PM, Ronald Crane via dev-security-policy >> wrote: > [snip] >>> Some other cha

Re: [FORGED] Website owner survey data on identity, browser UIs, and the EV UI

> On Oct 2, 2019, at 4:05 PM, Ronald Crane via dev-security-policy > wrote: > > On 10/2/2019 3:27 PM, Peter Gutmann wrote: >> Ronald Crane via dev-security-policy >> writes: >> >>> "Virtually impossible"? "Anyone"? Really? Those are big claims that need >>> real >>> data. >> How many

Re: Website owner survey data on identity, browser UIs, and the EV UI

> On Oct 9, 2019, at 10:42 AM, Ronald Crane via dev-security-policy > wrote: > > On 10/2/2019 3:50 PM, Paul Walsh via dev-security-policy wrote: > > [snip] >>>> sɑlesforce[.com] is available for purchase right now. >>> I was going to suggest banning non-

Re: Website owner survey data on identity, browser UIs, and the EV UI

On Oct 9, 2019, at 7:30 AM, Leo Grove via dev-security-policy wrote: > > On Tuesday, October 8, 2019 at 10:36:19 PM UTC-5, Matt Palmer wrote: >> On Tue, Oct 08, 2019 at 07:16:59PM -0700, Paul Walsh via dev-security-policy >> wrote: >>> Why isn’t anyone’s head blowin

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

Everything I have ever said on this thread can now be found in one article: https://casecurity.org/2019/10/10/the-insecure-elephant-in-the-room/ This was by invitation of the CA Security Council a few months ago. I have never worked for a CA and I have never had any reason to say anything in

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

I’ve replied for the record even though you say this is your last post on this particular thread, or to me. I’m good with that as I don’t think you care about what anything anyone says outside the browser vendor world anyway. > On Oct 9, 2019, at 5:09 PM, Ryan Sleevi wrote: > > > > On Wed,

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

I have two questions Ronald: 1. What should I look for? I just see a DV cert from Let’s Encrypt. 2. Why did you message the entire community about whatever it is you’ve found? Thanks, Paul Sent from my iPhone > On Oct 12, 2019, at 11:04 AM, Ronald Crane via dev-security-policy > wrote: >

Re: About upcoming limits on trusted certificates

> On Mar 11, 2020, at 4:11 PM, Kathleen Wilson via dev-security-policy > wrote: > > On 3/11/20 3:51 PM, Paul Walsh wrote: >> Can you provide some insight to why you think a shorter frequency in domain >> validation would be beneficial? > > To start with, it is common for a domain name to be

Re: About upcoming limits on trusted certificates

Hi Kathleen, Can you provide some insight to why you think a shorter frequency in domain validation would be beneficial? At the very least it deserves a new thread as the potential impact could be significant. And out of curiosity, why not raise your question inside the CA/Browser forum if

Re: About upcoming limits on trusted certificates

Thanks for the clarification, Kathleen. I tried my best not to make assumptions. - Paul > On Mar 11, 2020, at 5:28 PM, Kathleen Wilson via dev-security-policy > wrote: > > On 3/11/20 4:37 PM, Paul Walsh wrote: On Mar 11, 2020, at 4:11 PM, Kathleen Wilson via dev-security-policy

Re: Concerns with Let's Encrpyt repeated issuing for known fraudulent sites

[snip] >> So the question now is what the community intends to do to retain trust >> in a certificate issuer with such an obvious malpractise enabling >> phishing sites? > > TLS is the wrong layer to address phishing at, and this issue has already > been discussed extensively on this list.

Re: Concerns with Let's Encrpyt repeated issuing for known fraudulent sites

bymonster.com/>. > > On Wednesday, August 12, 2020, Paul Walsh via dev-security-policy > <mailto:dev-security-policy@lists.mozilla.org>> wrote: > [snip] > > >> So the question now is what the community intends to do to retain trust > >> in a certificate

Re: Concerns with Let's Encrpyt repeated issuing for known fraudulent sites

equire certs. > > CAs are not meant to certify that the party you’re communicating with isn’t > a monster. Just that if you are visiting siterunbymonster.com > <http://siterunbymonster.com/> that you > really are speaking with siterunbymonster.com <http://siterunbymo

Re: Concerns with Let's Encrpyt repeated issuing for known fraudulent sites

certify that the party you’re communicating with isn’t >> a monster. Just that if you are visiting siterunbymonster.com >> <http://siterunbymonster.com/> that you >> really are speaking with siterunbymonster.com <http://siterunbymonster.com/>. >> &

Re: Concerns with Let's Encrpyt repeated issuing for known fraudulent sites

> On Aug 13, 2020, at 11:04 AM, Tobias S. Josefowitz via dev-security-policy > wrote: > > On Thu, Aug 13, 2020 at 7:20 PM Paul Walsh via dev-security-policy > wrote: >> >> "Every domain should be allowed to have a certificate ***regardless of >>

Re: Concerns with Let's Encrpyt repeated issuing for known fraudulent sites

t; You end up in a position of editorializing. If you will not provide >>> service for abuse, everyone with a gripe constantly tries to redefine abuse. >>> >>> >>> Additionally, this is why positive security indicators are clearly on the >>> way out

Re: Concerns with Let's Encrpyt repeated issuing for known fraudulent sites

I agree Eric. I apologize for those words, they’re beneath me and everyone else who strives for civil debate. It’s a terrible paragraph of text. - Paul > On Aug 13, 2020, at 4:09 PM, Eric Mill wrote: > > On Thu, Aug 13, 2020 at 10:20 AM Paul Walsh via dev-security-policy >

Re: New Blog Post on 398-Day Certificate Lifetimes

Thanks Ben, I’ve only had half a cup of coffee this am, so it’s possible I’m not yet awake :) I have a question about reasons 2 and 3 as they’re closely related to the attack vector. According to Google, spear phishing attacks have a shelf life of 7 minutes while bulk campaigns have a shelf

Re: New Blog Post on 398-Day Certificate Lifetimes

regards, Paul > On Jul 9, 2020, at 11:26 AM, Ryan Sleevi wrote: > > > > On Thu, Jul 9, 2020 at 1:04 PM Paul Walsh via dev-security-policy > <mailto:dev-security-policy@lists.mozilla.org>> wrote: > > According to Google, spear phishing > > I didn't s

Re: New Blog Post on 398-Day Certificate Lifetimes

Ugh, some poor language/typos but I”m sure people can navigate them. Sorry about that. > On Jul 9, 2020, at 10:04 AM, Paul Walsh wrote: > > Thanks Ben, > > I’ve only had half a cup of coffee this am, so it’s possible I’m not yet > awake :) > > I have a question about reasons 2 and 3 as

Re: New Blog Post on 398-Day Certificate Lifetimes

on’t see the risk that some people see. Hoping to be corrected because the > alternative is that browsers are about to make life harder and more expensive > for website owners with little to no upside - outside that of a researchers > lab. > > Warmest regards, > Paul >

Re: Certificates possibly misissued to historical UK counties

As someone who worked in Richmond and lived in Surrey while registering more than one UK company, I can testify to this. I’d only add that the post code is what’s most helpful when establishing a location. > On Jul 9, 2020, at 5:24 PM, Nick Lamb via dev-security-policy > wrote: > > On

Re: Use of information collected from problem reporting addresses for marketing?

I dislike being added to lists as much as the next person. There are numerous reasons for what might have happened. Had you setup an address for the purpose of contacting them, or any other company, you’d know for sure. My personal approach would be to ask them before emailing the list. And