Beyond EV: Thoughts on trust and actionable trust signals

[Matthew Hardeman]

All,

Recent events and a body of historical research have of late been causing
questions among a great many respected security researchers and browser UI
guys about the benefits of browser UI signal for EV certificates.

I'd like to start a discussion tangent to that ongoing dialogue.
Regardless of any changes in EV certificate handling -- or any lack of
changes, I think it may be worthwhile to have a discussion about the
appropriateness of trust indicators in browser UI and the things that might
support an indication of a trust indicator.

Today, browsers grant an enhanced display to EV certificates because EV
certificates identify the existence of an entity, the authorization of a
certificate requestor to request a certificate on behalf of the entity, and
link the certificate between the domain(s) of the entity and the entity
itself.

In general, it is presumed that this increases the notion that the website
presenting this certificate is trustworthy -- most especially, the
marketing of the EV "brand" suggests to us that these websites are more
trustworthy in terms that we can be confident in engaging in commerce with
these websites.

Recent work by security researches such as Ian Caroll have shown that trust
is likely a bit more complicated. We can't trust, in the general case,
that "Stripe, Inc." means the Stripe of stripe.com -- the payment
processor. In fact, Ian's work involved the creation of a separate
"Stripe, Inc." in Kentucky.

I have several questions for the community to ponder:

1. If a technologically detectable and authenticatable indicator that a
site was "measurably more trustworthy than the general case for the purpose
of engagement in commerce", would that merit a browser UI indicator of some
form? Specifically a browser initiated UI element, such that the target
website itself could not simulate or emulate the indicator in a compelling
way.

2. What data or documentation, fully validated, might possibly rise to the
above bar regarding the real world identification and legitimacy of the
operator of the target website?

Certainly, I have my own thoughts and opinions on this topic. And if
there's interest and traction on those questions by other community
matters, I hope to expound on those in the course of that conversation.

Thanks,

Matt Hardeman

[Ryan Sleevi]

On Thu, Dec 14, 2017 at 3:31 PM Matthew Hardeman via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:

> I have several questions for the community to ponder:
>
> 1. If a technologically detectable and authenticatable indicator that a
> site was "measurably more trustworthy than the general case for the purpose
> of engagement in commerce", would that merit a browser UI indicator of some
> form? Specifically a browser initiated UI element, such that the target
> website itself could not simulate or emulate the indicator in a compelling
> way.

No.

As a rhetorical framing though, I’m not sure it’s a productive avenue.
There are a number of inherent assumptions and flaws even in the framing of
this that it ultimately prevents meaningful discussion. Your second
question embodies this in its presumption of a solution, while also being
inherently tied to encouraging opinions without data.

I dislike the inherent framing as UI as somehow a consensus driven
approach, but if I were to encourage you with more productive questions:

1) Do positive indicators improve compliance?

There’s ample HCI and usability research on that, so perhaps that’s a good
starting point in unpacking some of your assumptions captured in the
question.