I don’t dispute your claims if the attacker is ‘on the wire’; what I dispute is that that is actually the case most of the time. I’d think a far more common case is one in which I receive an email, purportedly from my bank, but containing a URL that isn’t the one I recognize as my bank’s. Usually that’s a scam, but sometimes it’s a legit separate domain they have for the credit card rewards program or something like that. Or a case where I am typing a known URL and I fat-finger something and stumble onto a scammer’s site. The immediate absence of the EV organization name is going to help me detect that I’m not where I want to be.
BTW, I looked at these things long before I was in the CA business, so if I was “conditioned” it must have been by the outside world. ☺ From: Ryan Sleevi <[email protected]> Reply-To: "[email protected]" <[email protected]> Date: Wednesday, December 13, 2017 at 1:18 PM To: Tim Shirley <[email protected]> Cc: Nick Lamb <[email protected]>, "[email protected]" <[email protected]>, Jakob Bohm <[email protected]> Subject: Re: On the value of EV On Wed, Dec 13, 2017 at 12:58 PM, Tim Shirley via dev-security-policy <[email protected]<mailto:[email protected]>> wrote: As an employee of a CA, I’m sure many here will dismiss my point of view as self-serving. But when I am making trust decisions on the internet, I absolutely rely on both the URL and the organization information in the “green bar”. I relied on it before I worked for a CA, and I’m pretty sure I’ll still rely on it after I no longer work in this industry (if such a thing is even possible, as some in the industry have assured me it’s not). I think the focus on the edge cases has been because even the case you raise here (and below), can be demonstrated as technically flawed. You believe you're approaching a sense of security, but under an adversarial model, it falls apart. The historic focus has been on the technical adversary - see Nick Lamb's recently reply a few minutes before yours - and that's been thoroughly shown that EV is insufficient under an attacker model that is 'on the wire'. However, EV proponents have still argued for EV, by suggesting that even if its insufficient for network adversaries, it's sufficient for organizational adversaries. Ian's and James' research shows that's also misguided. So you're not wrong that, as a technically skilled user, and as an employee of a CA, you've come to a conclusion that EV has value, and conditioned yourself to look for that value being expressed. But under both adversarial models relative to the value EV provides, EV does not address them. So what does the UI provide, then, if it cannot provide either technical enforcement or "mental-model" safety. Are you wrong for wanting those things? No, absolutely not. They're perfectly reasonable to want. But both the technical means of expressing that (the certificate) and the way to display that to the user (the UI bar), neither of these hold up to rigor. They serve as placebo rather than panacea, as tiger repelling rocks rather than real protections. Since improving it as a technical means is an effective non-starter (e.g. introducing a new origin for only EV certs), the only fallback is to the cognitive means - and while users such as yourself may know the jurisdictional details for all the sites they interact with, and may have a compelling desire for such information, that doesn't necessarily mean it should be exposed to millions of users. Firefox has about:config, for example - as well as extensions - and both of those could provide alternative avenues with much greater simplicity for the common user. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
