(Posting in a personal capacity) On Wed, Aug 28, 2019 at 7:01 PM Kirk Hall via dev-security-policy < [email protected]> wrote:
> Most of the comments against EV certificates on this list have been > focused on whether or not the current Firefox EV UI is relied on by Firefox > users to make security decisions. (Actually, I have only seen a Google > paper on this issue in Chrome, no research from Firefox.) > > But there is an ecosystem of anti-phishing browser filters (e.g., Google > Safe Browsing, Microsoft Smart Screen) and services (e.g., PhishLabs) as > well as others that use the current identity information in EV certs to > make better determinations of positive and false positive phishing sites > and thereby protect users, as well as for other user security purposes. > > Many on this discussion would like to see EV certs disappear entirely and > move all websites to DV certs. But remember, if EV certs disappear, so > does all the EV identity information that’s being used today by security > software to protect users. > > So my question to those who want EV certificates to disappear is this: OK, > then what is *your* plan for protecting users? Browser filters will be > weaker without EV information (and some browser filters today miss 20% of > phishing sites at zero hour, according to NSS studies). How will you > replace the EV information that’s being used today by phishing filters and > services to protect users? > These are very reasonable concerns, and a very valid question to ask. However, with respect to Mozilla's original posting here, or the announcements from the Chrome team, it does not sound as if any of the browsers are presently proposing removing EV. So perhaps that's worthy of a separate conversation? > Any decision on removing the EV UI in Firefox should consider all the > related impacts on user security, and not just focus on a single issue > (namely, “Do users rely on the EV UI?”), especially when the current > Firefox EV UI is doing no harm. > I may have missed something in the hundred messages in this thread, but could you highlight what other "impacts on user security" were identified that are specific to the UI, and that are not intrinsically linked to the question of "Do users rely on the EV UI"? Perhaps it might be worth exploring Peter Bowen's questions, in https://groups.google.com/d/msg/mozilla.dev.security.policy/iVCahTyZ7aw/TaXQb7VcAQAJ , or those offered in https://groups.google.com/d/msg/mozilla.dev.security.policy/iVCahTyZ7aw/gBqfc3XPAAAJ , which seemed to identify both the question of harm and how this change would not negatively impair other improvements. With respect to "doing no harm," a position others on the thread have also mentioned, I don't know that conclusion has been demonstrated. Could you point to any peer-reviewed research or literature that suggests it does no harm? There appears to be a sizable and growing body with respect to Human-Computer Interaction, as well as within the broader behavioural sciences, that the studies around EV have referenced or mentioned in terms things like "alarm fatigue" and "information overload". Much like the discussion around correlation versus causation, it seems like there might be two separable pieces: 1) A question about whether users rely on EV UI 2) A question about whether the EV UI causes harm With respect to the second question, it seems folks have identified that if the answer to 1 is yes, then the answer to 2 is also yes - for example, the mentioned-in-the-original-post Stripe example causing user confusion, or situations like the organization "Identity Verified". If the answer to 1 is no, then is it reasonable to infer that it causes harm both in terms of software maintenance costs to support that UI, but also in that it may lead users to believe the answer to 1 is or should be yes, thus bringing us back to the harm caused when users rely upon it. Perhaps I've missed some research on it doing no harm? Given the issues identified, that would seem to be the burden to demonstrate: folks have provided example of it doing harm, so it doesn't seem the conclusion is there? _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
