Study questions EV certs effectiveness?

classic Classic list List threaded Threaded
26 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Study questions EV certs effectiveness?

dolphinling-2
Slashdot links[0] to a paper[1] about EV certificates today. I haven't actually
read the paper or the linked article, but the blurb contains the provocative line

"The study, based on user testing, found that EV certificates don't improve
users' ability to detect attacks, that the interface can be spoofed, and that
training users actually decreases their ability to detect attacks."

Since I haven't actually read it I'm not going to make any judgments, just
thought I'd put it out here for anyone who doesn't read slashdot to see.


[0] http://it.slashdot.org/article.pl?sid=07/01/26/1325228
[1] http://www.usablesecurity.org/papers/jackson.pdf (PDF)

--
dolphinling
<http://dolphinling.net/>
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Study questions EV certs effectiveness?

Gervase Markham
dolphinling wrote:
> "The study, based on user testing, found that EV certificates don't
> improve users' ability to detect attacks, that the interface can be
> spoofed, and that training users actually decreases their ability to
> detect attacks."

What that actually means is that the study found that the Internet
Explorer EV UI (the green bar) doesn't improve users' ability to detect
attacks.

Gerv
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Study questions EV certs effectiveness?

Michael Lefevre
On 2007-01-29, Gervase Markham <[hidden email]> wrote:
> dolphinling wrote:
>> "The study, based on user testing, found that EV certificates don't
>> improve users' ability to detect attacks, that the interface can be
>> spoofed, and that training users actually decreases their ability to
>> detect attacks."
>
> What that actually means is that the study found that the Internet
> Explorer EV UI (the green bar) doesn't improve users' ability to detect
> attacks.

Indeed. But from what I've seen discussed so far though, the proposed
Firefox EV UI would be similar.  The picture-in-picture spoofs were highly
effective - it doesn't really matter what the security UI does or looks
like if it can be approximated by a web page.

There was also the finding that the user training actually made people
much more trusting of the spoof sites.  After being told about phishing
protection, people assumed that they could trust anything without a
phishing warning.  I don't see how that problem would be different for
Firefox.

--
Michael
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Study questions EV certs effectiveness?

Eddy Nigg (StartCom Ltd.)
Which leads me back to one of my original proposals to actually improve
the whole UI related to certification and provide an easy, but effective
way to display the most important information, specially the subject
line, by mouse over or one click on the pad lock! This would provide
better support of ALL types of certificates, since also low assurance
certificates will not disappear. But other well validated certificates
are going to exist and EV certificates are only one of them. Important
information is usually included within the subject line and it should be
easy for user to reach this information!

--
Regards
 
Signer:      Eddy Nigg, StartCom Ltd.
Phone:       +1.213.341.0390

Michael Lefevre wrote:

> On 2007-01-29, Gervase Markham <[hidden email]> wrote:
>  
>> dolphinling wrote:
>>    
>>> "The study, based on user testing, found that EV certificates don't
>>> improve users' ability to detect attacks, that the interface can be
>>> spoofed, and that training users actually decreases their ability to
>>> detect attacks."
>>>      
>> What that actually means is that the study found that the Internet
>> Explorer EV UI (the green bar) doesn't improve users' ability to detect
>> attacks.
>>    
>
> Indeed. But from what I've seen discussed so far though, the proposed
> Firefox EV UI would be similar.  The picture-in-picture spoofs were highly
> effective - it doesn't really matter what the security UI does or looks
> like if it can be approximated by a web page.
>
> There was also the finding that the user training actually made people
> much more trusting of the spoof sites.  After being told about phishing
> protection, people assumed that they could trust anything without a
> phishing warning.  I don't see how that problem would be different for
> Firefox.
>
>  

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security

smime.p7s (9K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Study questions EV certs effectiveness?

Gervase Markham
In reply to this post by Michael Lefevre
Michael Lefevre wrote:
> Indeed. But from what I've seen discussed so far though, the proposed
> Firefox EV UI would be similar.  

There has been no decision whatsoever taken on what the Firefox UI for
EV would look like. In fact, Mike Beltzner (the Corporation UI lead)
doesn't like the green bar at all.

Gerv
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Study questions EV certs effectiveness?

Ka-Ping Yee-2
On Tue, 30 Jan 2007, Gervase Markham wrote:
> Michael Lefevre wrote:
> > Indeed. But from what I've seen discussed so far though, the proposed
> > Firefox EV UI would be similar.
>
> There has been no decision whatsoever taken on what the Firefox UI for
> EV would look like. In fact, Mike Beltzner (the Corporation UI lead)
> doesn't like the green bar at all.

That's interesting.  Where is the design discussion about the UI taking
place?


-- ?!ng
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Study questions EV certs effectiveness?

beltzner
On 1/30/07, Ka-Ping Yee <[hidden email]> wrote:
> That's interesting.  Where is the design discussion about the UI taking
> place?

There's been no real design discussion about how to surface EV
certificates in Firefox yet, really. But I'm pretty well established
on record as saying that the red/yellow/green treatment proposed by
IE, while an incremental improvement over what we have now, also
represents an oversimplification of a bunch of concepts into a set of
disingenuous "danger!", "caution!" and "safe!"  metaphors.

Here's a set of equations I like to repeat whenever I notice anyone's
listening - trust me, it's awkward at bus stops - and which are also
pretty tied to my disdain of the "green bar" UI:

   EV != safe
   EV = validated identiy

   SSL/TLS != safe
   SSL/TLS = encrypted conduit

Being able to talk about validated identity is indeed quite
interesting, but advertising "get the green bar"[1], "go green"[2] or
telling users that they are safe when they see a green URL bar all
cause concern in my mind.

As for the future, I'm not sure that dev.security is the right place
for discussions of the UI. It's the right place for discussions of the
EV specification, for discussion of our plans to be able to detect,
parse and make EV metadata available, but the front end design of how
we surface that information is, IMO, a topic for dev.apps.firefox or
dev.apps.whateverAppBuiltOnMozillaThatsUsingEV :)


cheers,
mike

[1]: VeriSign uses this slogan
[2]: GlobalSign (http://www.globalsign.com/images/extended-validation-ssl.gif)
--
/ mike beltzner / phenomenologist / mozilla corporation /
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Study questions EV certs effectiveness?

Eddy Nigg (StartCom Ltd.)
Hi Mike,

beltzner wrote:
> Being able to talk about validated identity is indeed quite
> interesting, but advertising "get the green bar"[1], "go green"[2] or
> telling users that they are safe when they see a green URL bar all
> cause concern in my mind.
I'm glad to hear that! In a previous thread I made the suggestion and a
proposal, instead of colored address bars,  to provide to the user with
much needed information in an easier way than today, mainly:

- Mouse over the padlock should display basic information found in the
subject line.
- Click on the padlock should open the "Certificate Viewer".

Today the situation is, that in order to get a clue about important
details of the issued certificate one has to:

Right Click on the page -> View Page Info -> Select Security Tab ->
Click View....in order to receive this information. This is not
efficient and most casual users can't / don't know how to get there and
what to expect! As mentioned in the earlier thread I suggest to improve
the UI in such a way to give the user an easy way to make a judgment
about the site. Obviously most CA's bother to include valuable
information in the subject line concerning the level and type of the
verification of the identity.

BTW, when clicking on Thunderbird on the lock/signature I receive the
Certificate Viewer....why in Firefox this isn't the same behavior, is
mysterious ;-)

And at last, it is obvious that the EV forum is a business plan and I
certainly hope, that Mozilla doesn't lend a hand to it, specially since
- despite the claim made at the "CA-Browser Forum" - this is a closed
forum and organization! Until and once this has been corrected by this
forum - of which Mozilla is part of after all!!! - I suggest not to
provide the incentive of a green or whatever address bar!
> As for the future, I'm not sure that dev.security is the right place
> for discussions of the UI. It's the right place for discussions of the
> EV specification, for discussion of our plans to be able to detect,
> parse and make EV metadata available, but the front end design of how
> we surface that information is, IMO, a topic for dev.apps.firefox or
> dev.apps.whateverAppBuiltOnMozillaThatsUsingEV :)
Could you pop in a line at dev-security, once a discussion has started
in one of the relevant mailing lists, so we could join that effort as
well? Thanks!
> [1]: VeriSign uses this slogan
> [2]: GlobalSign
> (http://www.globalsign.com/images/extended-validation-ssl.gif)

--
Regards
 
Signer:      Eddy Nigg, StartCom Ltd.
Phone:       +1.213.341.0390

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security

smime.p7s (9K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Study questions EV certs effectiveness?

Boris Zbarsky
In reply to this post by beltzner
Eddy Nigg (StartCom Ltd.) wrote:
> - Mouse over the padlock should display basic information found in the
> subject line.

Mousing over the padlock currently shows a tooltip that says "Authenticated by
XXXX" where XXXX is the O field of the certificate issuer.  I agree that we
could show better stuff here.  The question is what to show.

> - Click on the padlock should open the "Certificate Viewer".

In Seamonkey, clicking on the padlock opens the "security" tab in page info.  In
Firefox, double-clicking on the padlock does the same.

> Today the situation is, that in order to get a clue about important
> details of the issued certificate one has to:
>
> Right Click on the page -> View Page Info -> Select Security Tab ->
> Click View....

Actually, in Firefox, "Double-click on the lock, click View".  But yes, clearly
not so discoverable (e.g. you didn't find it).

> most casual users can't / don't know how to get there and
> what to expect!

They wouldn't know to click on the lock icon either, frankly...

-Boris
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Study questions EV certs effectiveness?

Eddy Nigg (StartCom Ltd.)
Hi Boris,

Boris Zbarsky wrote:
> Mousing over the padlock currently shows a tooltip that says
> "Authenticated by XXXX" where XXXX is the O field of the certificate
> issuer.  I agree that we could show better stuff here.  The question
> is what to show.
Right! I think the "Authenticated by" is not the most important perhaps
(And I'm saying it and run a CA ;-)). I like the approach Opera took for
example, with showing to whom the certificate is issued in the address
bar and a click on it brings a window with all important details about
the holder and the issuer of the certificate. Certainly worth looking
into a similar option for FF.
>
> In Seamonkey, clicking on the padlock opens the "security" tab in page
> info.  In Firefox, double-clicking on the padlock does the same.
Yes, actually you are right! Perhaps I'm just used to previous FF
versions? Don't know...
>
> Actually, in Firefox, "Double-click on the lock, click View".  But
> yes, clearly not so discoverable (e.g. you didn't find it).
Also yes...I guess, that opening the Certificate Viewer instead would be
a minor investment with the greatest effect. If the UI people can agree
on this we could open a bug perhaps...
>
> They wouldn't know to click on the lock icon either, frankly...
Maybe :-) So a prominent section in the address bar dedicated to the
lock and additional information if the page is secured, would attract
more attention than currently. I think the combination of both steps
would bring an improvement to FF.

--
Regards
 
Signer:      Eddy Nigg, StartCom Ltd.
Phone:       +1.213.341.0390

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security

smime.p7s (9K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Study questions EV certs effectiveness?

beltzner
In reply to this post by Eddy Nigg (StartCom Ltd.)
On 2/1/07, Eddy Nigg (StartCom Ltd.) <[hidden email]> wrote:
> Could you pop in a line at dev-security, once a discussion has started
> in one of the relevant mailing lists, so we could join that effort as
> well? Thanks!

Certainly. I promises, double cross my heart and hope to die.

cheers,
mike

--
/ mike beltzner / phenomenologist / mozilla corporation /
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Study questions EV certs effectiveness?

Gervase Markham
In reply to this post by Boris Zbarsky
Eddy Nigg (StartCom Ltd.) wrote:
> Right! I think the "Authenticated by" is not the most important perhaps
> (And I'm saying it and run a CA ;-)). I like the approach Opera took for
> example, with showing to whom the certificate is issued in the address
> bar and a click on it brings a window with all important details about
> the holder and the issuer of the certificate. Certainly worth looking
> into a similar option for FF.

But (and I feel like a broken record) we should only display this
information if there's some chance it'll be correct. And we're back into
the "how good are current organisational vetting procedures?" question
which EV is supposed to deal with.

Gerv
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Study questions EV certs effectiveness?

Eddy Nigg (StartCom Ltd.)
Gervase Markham wrote:
>
> But (and I feel like a broken record)
Me too ;-)
> we should only display this information if there's some chance it'll
> be correct.
No, a decent browser should provide the information of the certificate
in an easy way! Withholding valuable information isn't perhaps the job
of a browser?
> And we're back into the "how good are current organisational vetting
> procedures?" question which EV is supposed to deal with.

But also back and again...EV is a business plan! It has nothing to do
with the supposed verification procedures, because the procedures
existed in similar forms already...any CA is free to pick these
procedures as their own and start issuing certificates accordingly
today! But it's truly the problem about how to market and sell them! It
was obvious a while ago and it's more obvious now....This is the issue
here....It's the incentive the browser vendors have to give to the
customers of the issuing CA's.

Concerning the user, I think when we asked a few month ago about studies
concerning the effectiveness of the "green address bar", none could be
provided. Now there are some negative reports... But I'm sure you'll
receive swiftly a few studies paid by some CA showing how EV helps the
user...ala "Get the Windows Facts"...

In the meantime, let the various CA's do a really great job and make
some real good verifications based on the EV guidelines - without the
greenly incentive!


--
Regards
 
Signer:      Eddy Nigg, StartCom Ltd.
Phone:       +1.213.341.0390

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security

smime.p7s (9K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Study questions EV certs effectiveness?

Daniel Veditz
In reply to this post by Gervase Markham
Eddy Nigg (StartCom Ltd.) wrote:
> But also back and again...EV is a business plan! It has nothing to do
> with the supposed verification procedures, because the procedures
> existed in similar forms already...any CA is free to pick these
> procedures as their own and start issuing certificates accordingly
> today!

Yes, they could but the presentation in the browser is exactly the same
whether they do or don't. Why would they bother doing it the hard way? More
and more CA's are apparently asking themselves that question.

I don't really care about helping CA's sell more expensive certs, but I do
want them to do more validation with an explicit standard we can hold them
to. If we can offer a usable and effective UI differentiator for EV certs
maybe we and the CA's can both get what we want (big if). Threatening to
turn off "EV-ness" of a CA's root cert for non-compliance with the standard
is a more credible threat than yanking the root from the browser and
frustrating millions of users.
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Study questions EV certs effectiveness?

Eddy Nigg (StartCom Ltd.)
Hi Dan,

Dan Veditz wrote:
>
> Yes, they could but the presentation in the browser is exactly the same
> whether they do or don't. Why would they bother doing it the hard way? More
> and more CA's are apparently asking themselves that question.
>  
Well no! CA's did in the past and today offer thorough identity
verification (personal and organizations alike), but it's the
_subscriber_ who is making the decision here. This is also true for EV
certification and nothing will change in that respect! A rare minority
would buy EV, without the green incentive...So it's not the CA not
offering thorough validations, but the subscriber not willing to pay for it!

And obviously EV will not prevent pishing of the "big" web sites, for
various reasons. First because pishing sites mostly don't use SSL to
start with, second the green address bar has also its drawbacks...which
will resolve in the same way as the padlock! We aren't living in a
perfect world and user education is a major problem!

More than that, current anti-pishing functions now found in most
browsers and mail clients are much better in preventing pishing attacks!
I think, that on this forum most agree with the fact, that EV is not
going to be effective nor the front line of defense against pishing....

Additional thoughts are, that nobody should blindly follow through on a
purchase or sharing of sensitive data without coming to a conscious
decision - even if EV validated or similar. Because validation of the
identity doesn't guaranty to anybody, that this entity will deliver the
goods and not misuse your information! Suing somebody in court isn't fun
either and doesn't guaranty, that this entity can pay for the damage...

> I don't really care about helping CA's sell more expensive certs, but I do
> want them to do more validation with an explicit standard we can hold them
> to.
That in itself would be a good thing, however the whole thing is once
again dictated by Verisign and Microsoft. There wasn't an open process
as far as I'm concerned, and it's really about getting the CA business
back on track!
> If we can offer a usable and effective UI differentiator for EV certs
> maybe we and the CA's can both get what we want (big if). Threatening to
> turn off "EV-ness" of a CA's root cert for non-compliance with the standard
> is a more credible threat than yanking the root from the browser and
> frustrating millions of users.
Yes maybe...so no CA does ever guaranty support of their CA certificate
in browsers to the subscriber...So perhaps any such CA will have
problems selling more of the same, the ones which get burned the most
are the subscribers under such a scenario! And I'm not talking about
eBay....they can afford it...

But how fast can a browser vendor remove support of EV of a certain CA?
Instantly? If not, millions of relying parties might be at risk?
But now thinking about eBay again: What happens to such a site, if they
educate their users to look for the green address bar and then of a
sudden it turns white or yellow...Can you imagine the possible damage
due to lost purchases and the confusion? I don't believe that any
browser vendor has the guts to remove EV support from one of the big
five CA's from their browsers, not talking about removing their CA root!
And because neither Mozilla nor any other browser vendor would do this -
it remains a hollow phrase without meaning and teeth...

--
Regards
 
Signer:      Eddy Nigg, StartCom Ltd.
Phone:       +1.213.341.0390

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security

smime.p7s (9K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Study questions EV certs effectiveness?

charter77
In reply to this post by dolphinling-2
Another study on users' attentiveness, this time based on Sitekey
(which uses self-selected images to help users verify they are
visiting a trusted site).  Apparently users accept that stuff changes
all the time on websites/browsers while their habits do not.

http://usablesecurity.org/emperor/

"Absence of indicators that SSL is used, and absence of an image-based
site authenticity indicator (such as SiteKey -- although the authors
do not mention which bank was involved in the study -- are almost
entirely ignored by subjects. Only a relatively dire IE7-style warning
page seems to dissuade the subjects, and even then over a third logged
in even when their real credentials, at their real bank, were
involved."

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Study questions EV certs effectiveness?

Ben Bucksch
In reply to this post by Daniel Veditz
Dan Veditz wrote:
> I don't really care about helping CA's sell more expensive certs, but I do
> want them to do more validation with an explicit standard we can hold them
> to. If we can offer a usable and effective UI differentiator for EV certs
> maybe we and the CA's can both get what we want (big if). Threatening to
> turn off "EV-ness" of a CA's root cert for non-compliance with the standard
> is a more credible threat than yanking the root from the browser and
> frustrating millions of users.

OK, if you see this as central, then let's explore this more.

EV (just like SSL) bases on the idea that users will pay attention to
it, that they'll notice the change from usually green to now white when
doing online banking and be alerted and halt.

Now, how is that different from today? We're not (yet) stopping people
from going to SSL sites with an invalid cert, we show a dialog. Which
most people have no clue what it means and just dismiss and go on, see
it just as (popup) annoyance. If we "yank roots" today, people can still
go to the sites, they'll just get these alerts.

If you disable EV for a specific CA (could we do that), how is that
different from today? That the change is more subtle, less annoying.

But if people still go to sites, it means the EV UI is completely
ineffective. If they don't, we have the same or worse problem as today.

Note that in either case, we'll make a huge number of sites "invalid",
99% of which are legitimate and perfectly validated and correct.

--
When responding via mail, please remove the ".news" from the email address.
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Study questions EV certs effectiveness?

Ben Bucksch
In reply to this post by Daniel Veditz
Eddy Nigg (StartCom Ltd.) wrote:
> Well no! CA's did in the past and today offer thorough identity
> verification (personal and organizations alike), but it's the
> _subscriber_ who is making the decision here. This is also true for EV
> certification and nothing will change in that respect! A rare minority
> would buy EV, without the green incentive...So it's not the CA not
> offering thorough validations, but the subscriber not willing to pay
> for it!

True. Good comment.

> More than that, current anti-pishing functions now found in most
> browsers and mail clients are much better in preventing pishing
> attacks! I think, that on this forum most agree with the fact, that EV
> is not going to be effective nor the front line of defense against
> pishing....

I disagree. I think that anti-phishing blacklists are a band-aid.

I think the most effective anti-phishing measures are:

    * Bookmarks
    * Clearly showing domain (and *only* domain) and maybe real world
      owner (from cert)


> Additional thoughts are, that nobody should blindly follow through on
> a purchase or sharing of sensitive data without coming to a conscious
> decision - even if EV validated or similar.

I think that's too much a lifestyle and political question :).

>> yanking the root
> the ones which get burned the most are the subscribers under such a
> scenario

True. That's why I don't think that's a good scenario, as-is. We should
hurt the CA, not its customers (the sites).

Maybe an NSS feature to treat all certs from a certain CA issued *after*
a certain time as invalid would be nice *evil grin*, esp. with us
notifying existing cert holders that they need to renew with another CA.
That'll give the CA the shivers *lol*.


--
When responding via mail, please remove the ".news" from the email address.

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Study questions EV certs effectiveness?

Eddy Nigg (StartCom Ltd.)
In reply to this post by Ben Bucksch
Hi Ben,

Ben Bucksch wrote:
> EV (just like SSL) bases on the idea that users will pay attention to
> it, that they'll notice the change from usually green to now white
> when doing online banking and be alerted and halt.
If this assumption turns to be out correct, than imagine the potential
damage to a subscriber until he gets a new certificate from a different
CA. Which leads me to something else....
>
> If you disable EV for a specific CA (could we do that), how is that
> different from today? That the change is more subtle, less annoying.
I believe - so I don't know this for certain - that currently no well
defined policy exists at Mozilla for removing either a CA or eventual EV
support. This is something which has to be clearly defined and
_procedures should be implemented_ on how, when, why and if any of these
can be performed.

However under such a scenario it is most likely, that the CA will fall
most of the time, if not always, into a grey area, by having performed
some steps and some maybe omitted. Now Mozilla would need actual facts
about the omitted validation procedures or shortcomings by the CA,
information to which Mozilla doesn't have access to! Without these
facts, Mozilla would have extreme difficulty justifying such a step as
removing a root or removing EV support eventually!

Also likely, that only a very small number of wrongfully issued
certificates or those with incomplete verifications will surface, making
it even harder for Mozilla to do anything - specially when the size and
"importance" of the CA is higher. After how many dubious certificates
should anything happen? What does Mozilla have to prove and what are the
options of the CA?

But imagine now, that a company received an EV certificate and this very
company turns out to be a real crook....The CA most likely has performed
the verification correctly according to the guidelines (which turned out
to be much more "flexible" than I thought) under such circumstances, but
because of the _wrong expectations EV raises_, the damage to relying
parties could be much higher then usual! And there is nothing Mozilla
can do about! And EV and the browser vendors will become the laughing
stock of the Internet news sites...

And it doesn't help that one can sue this company, because it closed
down in the meantime and the owners are having a good time on some nice
Island! There is also no insurance money to take, because the CA
performed the validation according to the guidelines. But the
expectations are raised today tremendously, mainly by Microsoft and the
various CAs themselves, way beyond what they are and what they can
provide...and this is just another argument, why there shouldn't be any
special treatment of EV or any other standard put forward by some
interest group - at least for now!

--
Regards
 
Signer:      Eddy Nigg, StartCom Ltd.
Phone:       +1.213.341.0390

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security

smime.p7s (9K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Study questions EV certs effectiveness?

Eddy Nigg (StartCom Ltd.)
In reply to this post by Ben Bucksch
Hi Ben,

Ben Bucksch wrote:
>> ...So it's not the CA not offering thorough validations, but the
>> subscriber not willing to pay for it!
>
> True. Good comment.
Thank you ;-)
>
>> More than that, current anti-pishing functions now found in most
>> browsers and mail clients are much better in preventing pishing
>> attacks! I think, that on this forum most agree with the fact, that
>> EV is not going to be effective nor the front line of defense against
>> pishing....
>
> I disagree. I think that anti-phishing blacklists are a band-aid.
Yes, I believe that too! But currently they are still better in
preventing mistakes made by users ,which pishing is all about...It's
not, that the site in question doesn't have a valid certificate, it's
the user following to the wrong site...The same user will not care too
much about the color of the address bar either...Therefore the current
band-aids are not the best one could hope for, but pretty effective
right now...
> I think the most effective anti-phishing measures are:
>
>    * Bookmarks
Education, education, education ;-)
>    * Clearly showing domain (and *only* domain) and maybe real world
>      owner (from cert)
Already suggested this and more....General in agreement with you, so I'm
not sure if the domain name itself is the most important thing, because
the domain is in the address bar already and if that's not the correct
domain, than the browser already barks...

--
Regards
 
Signer:      Eddy Nigg, StartCom Ltd.
Phone:       +1.213.341.0390

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security

smime.p7s (9K) Download Attachment
12