On Wed, Dec 13, 2017 at 12:58 PM, Tim Shirley via dev-security-policy < [email protected]> wrote:
> As an employee of a CA, I’m sure many here will dismiss my point of view > as self-serving. But when I am making trust decisions on the internet, I > absolutely rely on both the URL and the organization information in the > “green bar”. I relied on it before I worked for a CA, and I’m pretty sure > I’ll still rely on it after I no longer work in this industry (if such a > thing is even possible, as some in the industry have assured me it’s not). > I think the focus on the edge cases has been because even the case you raise here (and below), can be demonstrated as technically flawed. You believe you're approaching a sense of security, but under an adversarial model, it falls apart. The historic focus has been on the technical adversary - see Nick Lamb's recently reply a few minutes before yours - and that's been thoroughly shown that EV is insufficient under an attacker model that is 'on the wire'. However, EV proponents have still argued for EV, by suggesting that even if its insufficient for network adversaries, it's sufficient for organizational adversaries. Ian's and James' research shows that's also misguided. So you're not wrong that, as a technically skilled user, and as an employee of a CA, you've come to a conclusion that EV has value, and conditioned yourself to look for that value being expressed. But under both adversarial models relative to the value EV provides, EV does not address them. So what does the UI provide, then, if it cannot provide either technical enforcement or "mental-model" safety. Are you wrong for wanting those things? No, absolutely not. They're perfectly reasonable to want. But both the technical means of expressing that (the certificate) and the way to display that to the user (the UI bar), neither of these hold up to rigor. They serve as placebo rather than panacea, as tiger repelling rocks rather than real protections. Since improving it as a technical means is an effective non-starter (e.g. introducing a new origin for only EV certs), the only fallback is to the cognitive means - and while users such as yourself may know the jurisdictional details for all the sites they interact with, and may have a compelling desire for such information, that doesn't necessarily mean it should be exposed to millions of users. Firefox has about:config, for example - as well as extensions - and both of those could provide alternative avenues with much greater simplicity for the common user. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
