On Friday, September 6, 2019 at 4:17:44 PM UTC-7, Oliver wrote: > On Friday, September 6, 2019 at 11:44:30 AM UTC-7, [email protected] wrote: > > > Thanks for the update Jonathan, the article I read didn't mention the > > funding source, but the article wasn't the point of my post. > > > > Bottom line, why strip out of view the only browser mechanism that > > identifies the owner of a website? Why not force the CA's to improve the EV > > validation process and create a ubiquitous user experiences around EV > > across ALL browsers so that visitors can begin to see the commonality of > > EV's purpose? > > > > For the betterment of a safer and more trustworthy Internet, why digress > > from the concept of web identity verification instead of trying to make it > > better? > > The problem is that EV does not provide a owner identity that is actually > useful to end users: > > * the public name of many companies is not their incorporated name (e.g. > https://www.thesslstore.com) > > * Unlike hostnames, company names are not globally (as we've seen > repeatedly, mentioned earlier was Stripe, Inc). By design this is not a > fixable problem - unlike a hostname you cannot say a CA isn't allowed to > issue certs to "special" or "high profile" company names. Let's take > nissan.com, giving it an EV cert would not help a user distinguish it from > Nissan Motors because the EV cert will just say Nissan, Inc or whatever. > > These problems are both uncorrectable, by design. There is no amount of > "extra" validation a CA can do that fixes them. If a company is incorporated > with a given name a CA cannot refuse to issue an EV cert with that name. > > The only true identity for a given webpage is the URL, and many years of > effort have gone into getting users to look at the address bar to verify they > are where they think they are. Modern browsers highlight the one part that > matters (the hostname) to further help users verify this. EV certs only serve > to confuse this by inserting an additional string the the url bar, or by > randomly (from the PoV of the user) overloading the padlock with different > colors. *** > --Oliver
I don't think using the URL alone to make trust decisions is enough for a user to determine whether or not to trust a website. On this point, Google and I seem to be in agreement. "People have a really hard time understanding URLs," says Adrienne Porter Felt, Chrome's engineering manager. "They’re hard to read, it’s hard to know which part of them is supposed to be trusted, **and in general I don’t think URLs are working as a good way to convey site identity.** So we want to move toward a place where web identity is understandable by everyone—they know who they’re talking to when they’re using a website and they can reason about whether they can trust them. But this will mean big changes in how and when Chrome displays URLs. We want to challenge how URLs should be displayed and question it as we’re figuring out the right way to convey identity." https://www.wired.com/story/google-wants-to-kill-the-url/ _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
