On 8/29/19, Nick Lamb <[email protected]> wrote: > On Thu, 29 Aug 2019 13:33:26 -0400 > Lee via dev-security-policy <[email protected]> > wrote: > >> That it isn't my financial institution. Hopefully I'd have the >> presence of mind to save the fraud site cert, but I'd either find the >> business card of the person I've been dealing with there or find an >> old statement, call and ask to be transferred to the fraud dept. > > I commend this presence of mind. > >> Same deal if the displayed info ends with (US) but doesn't match what >> I'm expecting, except I'd be asking the fraud dept about the name >> change instead of telling them. > > Perhaps American banks are much better about this than those I've > handled but certainly here in the UK "expecting" is tricky for ordinary > customers.
I'm expecting to see the same string I've seen every other time I visited that site. I did have one bank that was bought out by another & they even sent a letter about the upcoming name change. ^shrug^ 1st time after the change I still called & had them read me the new company name string. > As a domain expert I know why my good bank says: <.. snip examples ..> >> I understand that ev certs aren't a panacea, but for the very few web >> sites that I really care about I like having the company name >> displayed automatically. I think they're helpful and, since I use >> bookmarks instead of email links or search results, provide an >> adequate assurance that I've actually ended up on the web site I want. >> Is that an incorrect assumption? What more should I be doing? > > The implication of the UI change is that you needn't bother trying to > guess whether the Company Name is what you expected, Right. I get the implication. I disagree with it because I'm not guessing what the displayed name is supposed to be, I already know. Which is why I don't like the proposed change - it makes it harder to verify the site. (yes, one or two mouse clicks isn't all _that_ much harder, but I'm going to be ranting at mozilla every time I make those clicks. Great PR move Moz://a! Remind me every time I visit a banking site how much more I liked the older version of FF) > if you are > visiting the bookmark for your bank (credit union, card issuer, > whatever), that will be your bank. As you have seen in this thread, > some people don't agree, but I endorse this view. How does that square with a few msgs upthread where bgp hijacks were mentioned? I'd agree that's a low probability event, but if someone manages to hijack the routes for dns + my bank & gets a free cert 2 minutes later for what is supposedly my bank... it seems like that ev cert is the only thing left preventing me from entering my credentials on an imposter web site. > In a broader picture, there isn't much you should bother trying to do, > the onus is largely on the bank. Even if the onus _is_ largely on the bank, I'd much rather not find out how long it's going to take & what all I have to do to recover from entering my credentials on an imposter site. Regards, Lee _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
