The Mozilla community seeks broad input before important security decisions like changing the Firefox UI, but it almost never receives any input from one important group – website owners themselves.
To remedy this, Entrust Datacard surveyed all of its TLS/SSL web server certificate customers over three days (19-21 September 2019) concerning website identity in browsers, browser UIs in general, and EV browser UIs in particular. We have received 504 responses from customers to date, and more responses are still coming in. Respondent company size ranged all the way from 1-99 employees to over 20,000 employees. Here is a summary of the respondent results so far for the six questions listed below. (1) *97%* of respondents agreed or strongly agreed with the statement: "Customers / users have the right to know which organization is running a website if the website asks the user to provide sensitive data." (2) *93%* of respondents agreed or strongly agreed with the statement “Identity on the Internet is becoming increasingly important over time.” (3) When respondents were asked “How important is it that your website has an SSL certificate that tells customers they are at your company's official website via a unique and consistent UI in the URL bar?” *74%* said it was either extremely important or very important to them. Another *13%* said it was somewhat important (total: *87%*). (4) When respondents were asked “Do you believe that positive visual signals in the browser UI (such as the EV UI for EV sites) are important to encourage website owners to choose EV certificates and undergo the EV validation process for their organization?” *73%* said it was either extremely important or very important to them. Another *17%* said it was somewhat important (total *90%*). (5) *92%* agreed or strongly agreed with the statement: “Web browser security indicators should be standardized across different browsers to make the UI easier for users to understand.” (6) Finally, when asked “Do you think browsers should standardize among themselves on a common Extended Validation UI so that it appears roughly the same in all browsers?” *91%* said yes. Here is the distribution of respondents by number of employees: 504 enterprise responses total Organization Size by Employee Count 11;40% 1 to 99 employees 12.72% 100 to 499 employees 9.65% 500 to 999 employees 26.10% 1,000 to 4,999 employees 17.76% 5,000 to 19,999 employees 20.83% 20,000 or more employees 1.54% Don't know It’s important for Mozilla to consider all relevant information when making security decisions – and the opinions of these website owners are important. They believe users have a right to know which organization is running a website before users hand over sensitive information, and they think browser UIs should be standardized across all browsers, including a standardized EV UI. For this reason, we urge Mozilla to listen to website owners and not eliminate the EV UI in Firefox 70. Instead, Mozilla should work with other browsers to come up with common UI design elements, including for the EV UI, and engage in minimal user training on what the unified UIs mean. We again recommend the binary Apple UI to all browsers, which works in both desktop and mobile environments and distinguishes between EV/identity sites (with a green lock symbol and URL) and DV/anonymous sites (with a black lock symbol and URL) – check it out in an iPhone. (Apple did not eliminate the EV UI, as some has erroneously said.) This is easy for users to understand at a glance. Taking away the EV UI in Safari means users have no easy way of knowing whether a site asking them for sensitive information has a known identity (little or no phishing) or is anonymous (lots of phishing). _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
