I have a few more comments/annotations: (1) Pro EV persons argue "Criminals have problems getting an EV certificate, so most of them are using only DV certificates".
Anti EV persons argue "Criminals just don't use EV certificates, because they know that end users don't look at the EV indicator anyway". I assume, we do not know which of these two assumptions fits to the majority of criminals. So why should we make a decision (change of UI) based on such assumptions? (2) I am a pro EV person, and I do not have any financial benefit from EV certificates. I do not own EV certificates, instead my own websites use Let's Encrypt DV certificates. But when I visit important pages like Google or PayPal, I do look at the EV indicator bar, because I know that these pages always have an EV certificate. If I would visit PayPal and only see a normal pad lock (DV), then I would instantly leave the page because I know that PayPal always has an EV certificate. So, at least for me, the UI change is very negative (except if you color the pad lock in a different color, that would be OK for me). We cannot say that all users don't care about the EV indicator. For some users like me, it is important. (3) Also, I wanted to ask, if you want to remove the UI indicator, because you think that EV certificates give the feeling of false security, then please tell me: What is the alternative? Removing the UI bling without giving any alternative solution is just wrong in my opinion. Yes, there might be a tiny amount of phishing sites that use EV certificates, but the EV indicator bar is still better than just nothing. AntiPhishing filters are not a good alternative because they only protect when the harm is already done to some users. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
