On Mon, Dec 11, 2017 at 6:46 PM Matthew Hardeman via dev-security-policy < [email protected]> wrote:
> On Monday, December 11, 2017 at 5:00:14 PM UTC-6, Ryan Sleevi wrote: > > > That Kentucky registration for Stripe, Inc. -- Is it completely > fraudulent > > > as to registered agent, business address, etc? If it's not, then the > > > certificate and underlying entity serve as an archived investigative > entry > > > point for law enforcement or potential civil action. > > > > Fundamentally, I think this is misleading. It presumes that, upon > something bad happening, someone can link it back to that certificate to > link it back to that identity. If I was phished, and entered my > credentials, there's no reason to believe I've maintained the record > details including the phishing link to know I was phished. Are users > supposed to spleunk their HTTP cache or maintain complete archives of every > link they visited, such that they can get the cert back from it to aid an > investigation? > > Not really - what matters is that the user insists they got had via a > phishing link or other process - that can certainly be verified after the > fact No. - did someone steal their money in a sketchy way, but with apparent user > authorization? Further, the user swears back and forth that the green bar > was there and they looked to see that it matched the site's name - their > bank, PayPal, etc. All users will swear this if it avoids liability. And let’s be honest, it’s actively hostile to users to say they bear liability if they don’t do this - for every click of the page. All EV certs are CT logged, find the cert or homograph from there, track > to issuer and validation details, chase the entity document path, etc. As both James and Ian have shown, there are ample ways of you assume an adversary that such a process can be circumvented. And of course ignoring all the innocent bystanders along the way - such as Ian, who has not phished Stripe users. > > > The problem with this comparison (and indeed, CAs' like to bring it up), > is there's no model of how it gets to the civil action or criminal > investigation to begin with, in a way that is equivalent with the supposed > risks it prevents. > > It begins with a sufficient loss, an aggressive attorney, or an aggressive > complaining witness before law enforcement. I do not feel we are engaging in productive dialog anymore. Not for ill intent, but we are clearly talking past each other. Nor do I feel your examples hold up to the simplest of practical concerns, let alone ample research into human computer interaction or warning interaction. Which is the point. Just look at the studies of TSA effectiveness to see this demonstrated in the real world - where 99.9% positive can easily detract from the negative. There is no evidence to support, let alone threat model, that showing the EV UI today deters threats or provides value in an adversarial model against the average user. And that is the minimal necessary threshold to justify that UI, I would assert. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
