Honestly the issues, as I see them, are twofold: 1. When I visit a site for the first time, how do I know I should expect an EV certificate? I am conscientious about subsequent visits, especially financial industry sites.
2. The browsers seem to have a bias toward the average user, that user literally being less ...smart/aware... than half of all of users. EV is a feature that can only benefit people who are vigilant and know what to look for. It seems dismissive of the more capable users, but I suppose that's their call. On Fri, Aug 16, 2019 at 5:15 PM Daniel Marschall via dev-security-policy < [email protected]> wrote: > I have a few more comments/annotations: > > (1) Pro EV persons argue "Criminals have problems getting an EV > certificate, so most of them are using only DV certificates". > > Anti EV persons argue "Criminals just don't use EV certificates, because > they know that end users don't look at the EV indicator anyway". > > I assume, we do not know which of these two assumptions fits to the > majority of criminals. So why should we make a decision (change of UI) > based on such assumptions? > > (2) I am a pro EV person, and I do not have any financial benefit from EV > certificates. I do not own EV certificates, instead my own websites use > Let's Encrypt DV certificates. But when I visit important pages like Google > or PayPal, I do look at the EV indicator bar, because I know that these > pages always have an EV certificate. If I would visit PayPal and only see a > normal pad lock (DV), then I would instantly leave the page because I know > that PayPal always has an EV certificate. So, at least for me, the UI > change is very negative (except if you color the pad lock in a different > color, that would be OK for me). We cannot say that all users don't care > about the EV indicator. For some users like me, it is important. > > (3) Also, I wanted to ask, if you want to remove the UI indicator, because > you think that EV certificates give the feeling of false security, then > please tell me: What is the alternative? Removing the UI bling without > giving any alternative solution is just wrong in my opinion. Yes, there > might be a tiny amount of phishing sites that use EV certificates, but the > EV indicator bar is still better than just nothing. AntiPhishing filters > are not a good alternative because they only protect when the harm is > already done to some users. > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
