I’m not looking for a guarantee. Nothing is ever going to meet that standard. What I’m looking for is something that’s going to improve my odds. What I see in Ian’s and James’s research is some ways that it’s possible to create confusion, accidentally or deliberately. But I haven’t heard of any real world cases where such deception was used deliberately to date. And I’d expect, since Certificate Transparency has been required for a couple years now for EV treatment in Chrome, that if such attacks were actually happening in the real world today with EV certificates, we’d know about them and they would be getting trumpeted in this thread.
Why do police wear bulletproof vests when they know they’re entering a dangerous situation? A vest only covers part of the body, so they’re still in danger. I wouldn’t call a bulletproof vest a placebo. It’s a layer of defense, just like EV. I’m not claiming EV “solves” phishing but I am claiming that it mitigates it. I guess I’m also having a hard time appreciating how the presence of this information is a “cost” to users who don’t care about it. For one thing, it’s been there for years in all major browsers, so everyone has at least been conditioned to its presence already. But how is someone who isn’t interested in the information in the first place being confused by it? And if the mere presence of an organization name is creating confusion, then surely a URL with lots of words and funny characters in it would be confusing people too, and we should remove that too, right? From: Ryan Sleevi <[email protected]> Reply-To: "[email protected]" <[email protected]> Date: Wednesday, December 13, 2017 at 2:01 PM To: Tim Shirley <[email protected]> Cc: "[email protected]" <[email protected]>, Nick Lamb <[email protected]>, "[email protected]" <[email protected]>, Jakob Bohm <[email protected]> Subject: Re: On the value of EV Right, but both Ian and James' research show that it's an unreliable guarantee for those attacks - you may be relying on it, but it's not safe for it. Further, the costs to support your use case - well-intentioned but perhaps not aligning with the pragmatic reality - affect users who don't do so or aren't conditioned, by adding further confusion into the nuances of jurisdictional incorporation. So if it doesn't meet your intended use case / you're relying on a placebo, and it harms others, perhaps the UI treatment should go away :) Note, my focus in all of this discussion has been about the expression of UI surface in the security-critical section of a browser, and specifically, asked for Mozillans to comment on their plans (which, of course, had everyone but them commenting). There may still be value in EV-as-a-validation, but EV as a phishing mitigation - your scam emails or such - are not solved by EV. Technically or via validation. On Wed, Dec 13, 2017 at 1:52 PM, Tim Shirley <[email protected]<mailto:[email protected]>> wrote: I don’t dispute your claims if the attacker is ‘on the wire’; what I dispute is that that is actually the case most of the time. I’d think a far more common case is one in which I receive an email, purportedly from my bank, but containing a URL that isn’t the one I recognize as my bank’s. Usually that’s a scam, but sometimes it’s a legit separate domain they have for the credit card rewards program or something like that. Or a case where I am typing a known URL and I fat-finger something and stumble onto a scammer’s site. The immediate absence of the EV organization name is going to help me detect that I’m not where I want to be. BTW, I looked at these things long before I was in the CA business, so if I was “conditioned” it must have been by the outside world. ☺ From: Ryan Sleevi <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Wednesday, December 13, 2017 at 1:18 PM To: Tim Shirley <[email protected]<mailto:[email protected]>> Cc: Nick Lamb <[email protected]<mailto:[email protected]>>, "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>>, Jakob Bohm <[email protected]<mailto:[email protected]>> Subject: Re: On the value of EV On Wed, Dec 13, 2017 at 12:58 PM, Tim Shirley via dev-security-policy <[email protected]<mailto:[email protected]>> wrote: As an employee of a CA, I’m sure many here will dismiss my point of view as self-serving. But when I am making trust decisions on the internet, I absolutely rely on both the URL and the organization information in the “green bar”. I relied on it before I worked for a CA, and I’m pretty sure I’ll still rely on it after I no longer work in this industry (if such a thing is even possible, as some in the industry have assured me it’s not). I think the focus on the edge cases has been because even the case you raise here (and below), can be demonstrated as technically flawed. You believe you're approaching a sense of security, but under an adversarial model, it falls apart. The historic focus has been on the technical adversary - see Nick Lamb's recently reply a few minutes before yours - and that's been thoroughly shown that EV is insufficient under an attacker model that is 'on the wire'. However, EV proponents have still argued for EV, by suggesting that even if its insufficient for network adversaries, it's sufficient for organizational adversaries. Ian's and James' research shows that's also misguided. So you're not wrong that, as a technically skilled user, and as an employee of a CA, you've come to a conclusion that EV has value, and conditioned yourself to look for that value being expressed. But under both adversarial models relative to the value EV provides, EV does not address them. So what does the UI provide, then, if it cannot provide either technical enforcement or "mental-model" safety. Are you wrong for wanting those things? No, absolutely not. They're perfectly reasonable to want. But both the technical means of expressing that (the certificate) and the way to display that to the user (the UI bar), neither of these hold up to rigor. They serve as placebo rather than panacea, as tiger repelling rocks rather than real protections. Since improving it as a technical means is an effective non-starter (e.g. introducing a new origin for only EV certs), the only fallback is to the cognitive means - and while users such as yourself may know the jurisdictional details for all the sites they interact with, and may have a compelling desire for such information, that doesn't necessarily mean it should be exposed to millions of users. Firefox has about:config, for example - as well as extensions - and both of those could provide alternative avenues with much greater simplicity for the common user. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
