So many of the arguments made here, such as this one, as well as the recent demonstrations that helped start this thread, focus on edge cases. And while those are certainly valuable to consider, they obscure the fact that “Green Bar” adds value in the mainstream use cases. If we were talking about how to improve EV, then by all means focus on the edge cases. The thing I don’t see in all this is a compelling argument to take away something that’s useful most of the time.
As an employee of a CA, I’m sure many here will dismiss my point of view as self-serving. But when I am making trust decisions on the internet, I absolutely rely on both the URL and the organization information in the “green bar”. I relied on it before I worked for a CA, and I’m pretty sure I’ll still rely on it after I no longer work in this industry (if such a thing is even possible, as some in the industry have assured me it’s not). Sure, I don’t pay attention if I’m just reading the news or something. But before I enter credentials or credit card info into a web page, I absolutely look at both the URL and the organization name to see if they match my expectations. If the company name shown is not what I expected or if it’s absent altogether, that’s a red flag to me to either do a little more research before proceeding, or abandon it altogether. I agree, James & Ian’s demonstrations show cases where the information presented was not effective for the end user. But it seems an incredible leap to me to go from a couple of demonstrated shortcomings to suggesting outright removal of something that is useful most of the time. It also seems that if you follow that line of thinking, you have to also advocate for removing the URL from display. If “Identity Verified” as a company name is going to confuse some people into trusting the site, then couldn’t I also confuse many of the same people by registering “identity-verified.com” or some variant? I don’t claim to speak for anyone but myself as a web user here. I probably view a web site with more suspicion than most of the general public, as a result of the nature of my work. The majority of users are probably going to make their trust decisions purely based on whether or not the browser jumps in with an interstitial warning them that it’s a known malicious site. Absent that, they’re going to trust that if the page has Megabank’s logo on it, then it’s really Megabank. While I appreciate the value the malicious site filters are providing me, they can’t know about every bad site, and I’m not willing to fully outsource my trust decisions to them. Safari’s decision to hide the URL and only display the organization name on a site with an EV cert is a deal-killer to me using it, because it’s taking away information I rely on. Similarly, if Firefox were to remove the EV indicator, that would be more than enough reason for me to switch to another browser that still had it. Of course a scenario like Nick describes could happen to subvert my decision. Of course I might make a human mistake in interpreting the displayed organization name in a particular instance. But what I am confident of is, in the totality of my web usage, my credentials / credit card / whatever will be sent to wrong people less times if you give me that information than if you hide it from me. On 12/13/17, 12:38 PM, "dev-security-policy on behalf of Nick Lamb via dev-security-policy" <dev-security-policy-bounces+tshirley=trustwave....@lists.mozilla.org on behalf of [email protected]> wrote: On Wed, 13 Dec 2017 12:29:40 +0100 Jakob Bohm via dev-security-policy <[email protected]> wrote: > What is *programmatically* enforced is too little for human safety. > believing that computers can replace human judgement is a big mistake. > Most of the world knows this. That's a massive and probably insurmountable problem then since the design of HTTPS in particular and the way web browsers are normally used is _only_ compatible with programmatic enforcement. Allow me to illustrate: Suppose you visit your bank's web site. There is a lovely "Green Bar" EV certificate, and you, as a vocal enthusiast for the value of Extended Validation, examine this certificate in considerable detail, verifying that the business identified by the certificate is indeed your bank. You are doubtless proud that this capability was available to you. You fill in your username and password and press "Submit". What happens? Maybe your web browser finds that the connection it had before to the bank's web site has gone, maybe it timed out, or there was a transient network problem or a million other things. But no worry, you don't run a web browser in order to be bothered with technical minutiae - the browser will just make a new connection. This sort of thing happens all the time without any trouble. This new connection involves a fresh TLS setup, the server and browser must begin again, the server will present its certificate to establish identity. The web browser examines this certificate programmatically to decide that it's OK, and if it is, the HTTPS form POST operation for the log in form is completed by sending your username and password over the new TLS connection. You did NOT get to examine this certificate. Maybe it's the same one as before, maybe it's slightly different, maybe completely different, the hardware (let alone software) answering needn't be the same as last time and the certificate needn't have any EV data in it. Your web browser was happy with it, so that's where your bank username and password were sent. Even IF you decide now, with the new connection, that you don't trust this certificate, it's too late. Your credentials were already delivered to whoever had that certificate. Software makes these trust decisions constantly, they take only the blink of an eye, and require no human attention, so we can safely build a world that requires millions of them. The moment you demand human attention, you not only introduce lots of failure modes, you also use up a very limited resource. Perhaps you feel that when browsing the web you make a conscious decision about trust for each site you visit. Maybe, if you are extraordinarily cautious, you make the decision for individual web pages. Alas, to be of any use the decisions must be taken for every single HTTP operation, and most pages will use dozens (some hundreds) of such operations. _______________________________________________ dev-security-policy mailing list [email protected] https://scanmail.trustwave.com/?c=4062&d=p-Wx2sFhk_SN5yb-p3zLmDnjwtEJBCCLSXdwG-cNGw&s=5&u=https%3a%2f%2flists%2emozilla%2eorg%2flistinfo%2fdev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
