info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Intent to Ship: Move Extended Validation Information out of the URL bar
311 views
Skip to first unread message
Johann Hofmann
Aug 12, 2019, 4:05:15 AM8/12/19
to Firefox Dev, dev-platform, Wayne Thayer
In desktop Firefox 70, we intend to remove Extended Validation (EV)
indicators from the identity block (the left hand side of the URL bar which
is used to display security / privacy information). We will add additional
EV information to the identity panel instead, effectively reducing the
exposure of EV information to users while keeping it easily accessible.
Before:
After:
The effectiveness of EV has been called into question numerous times over
the last few years, there are serious doubts whether users notice the
absence of positive security indicators and proof of concepts have been pitting
EV against domains <https://www.typewritten.net/writer/ev-phishing/> for
phishing.
More recently, it has been shown <https://stripe.ian.sh/> that EV
certificates with colliding entity names can be generated by choosing a
different jurisdiction. 18 months have passed since then and no changes
that address this problem have been identified.
The Chrome team recently removed EV indicators from the URL bar in Canary
and announced their intent to ship this change in Chrome 77
<https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/h1bTcoTpfeI>.
Safari is also no longer showing the EV entity name instead of the domain
name in their URL bar, distinguishing EV only by the green color. Edge is
also no longer showing the EV entity name in their URL bar.
On our side a pref for this
(security.identityblock.show_extended_validation) was added in bug 1572389
<https://bugzilla.mozilla.org/show_bug.cgi?id=1572389> (thanks :evilpie for
working on it!). We're planning to flip this pref to false in bug 1572936
<https://bugzilla.mozilla.org/show_bug.cgi?id=1572936>.
Please let us know if you have any questions or concerns,
Wayne & Johann
indicators from the identity block (the left hand side of the URL bar which
is used to display security / privacy information). We will add additional
EV information to the identity panel instead, effectively reducing the
exposure of EV information to users while keeping it easily accessible.
Before:
After:
The effectiveness of EV has been called into question numerous times over
the last few years, there are serious doubts whether users notice the
absence of positive security indicators and proof of concepts have been pitting
EV against domains <https://www.typewritten.net/writer/ev-phishing/> for
phishing.
More recently, it has been shown <https://stripe.ian.sh/> that EV
certificates with colliding entity names can be generated by choosing a
different jurisdiction. 18 months have passed since then and no changes
that address this problem have been identified.
The Chrome team recently removed EV indicators from the URL bar in Canary
and announced their intent to ship this change in Chrome 77
<https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/h1bTcoTpfeI>.
Safari is also no longer showing the EV entity name instead of the domain
name in their URL bar, distinguishing EV only by the green color. Edge is
also no longer showing the EV entity name in their URL bar.
On our side a pref for this
(security.identityblock.show_extended_validation) was added in bug 1572389
<https://bugzilla.mozilla.org/show_bug.cgi?id=1572389> (thanks :evilpie for
working on it!). We're planning to flip this pref to false in bug 1572936
<https://bugzilla.mozilla.org/show_bug.cgi?id=1572936>.
Please let us know if you have any questions or concerns,
Wayne & Johann
Marissa (Reese) Wood
Aug 12, 2019, 5:36:44 AM8/12/19
to Johann Hofmann, Firefox Dev, dev-platform, Wayne Thayer
I quite like this. Thank you for the update!
Marissa (Reese) Wood, PMP, CISSP | Cell Phone <tel:303-506-3282> 303-506-3282 | <mailto:re...@mozilla.com> re...@mozilla.com | Slack: #Marissa (Reese)
From: firefox-dev <firefox-d...@mozilla.org> On Behalf Of Johann Hofmann
Sent: Monday, August 12, 2019 10:05 AM
To: Firefox Dev <firef...@mozilla.org>
Cc: dev-platform <dev-pl...@lists.mozilla.org>; Wayne Thayer <wth...@mozilla.com>
Subject: Intent to Ship: Move Extended Validation Information out of the URL bar
In desktop Firefox 70, we intend to remove Extended Validation (EV) indicators from the identity block (the left hand side of the URL bar which is used to display security / privacy information). We will add additional EV information to the identity panel instead, effectively reducing the exposure of EV information to users while keeping it easily accessible.
Before:
<https://lh4.googleusercontent.com/pSX4OAbkPCu2mhBfeleKKe842DgW28-xAIlRjhtBlwFdTzNhtNE7R43nqBS1xifTuB0L8LO979yhpPpLUIOtDdfJd3UwBmdxFBl7eyX_JihYi7FqP-2LQ5xw4FFvQk2bEObdKQ9F>
After:
<https://lh5.googleusercontent.com/kL-WUskmTnKh4vepfU3cSID_ooTXNo9BvBOmIGR1RPvAN7PGkuPFLsSMdN0VOqsVb3sAjTsszn_3LjRf4Q8eoHtkrNWWmmxOo3jBRoEJV--XJndcXiCeTTAmE4MuEfGy8RdY_h5u>
The effectiveness of EV has been called into question numerous times over the last few years, there are serious doubts whether users notice the absence of positive security indicators and proof of concepts have been <https://www.typewritten.net/writer/ev-phishing/> pitting EV against domains for phishing.
More recently, it has been <https://stripe.ian.sh/> shown that EV certificates with colliding entity names can be generated by choosing a different jurisdiction. 18 months have passed since then and no changes that address this problem have been identified.
The Chrome team recently removed EV indicators from the URL bar in Canary and announced <https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/h1bTcoTpfeI> their intent to ship this change in Chrome 77. Safari is also no longer showing the EV entity name instead of the domain name in their URL bar, distinguishing EV only by the green color. Edge is also no longer showing the EV entity name in their URL bar.
On our side a pref for this (security.identityblock.show_extended_validation) was added in <https://bugzilla.mozilla.org/show_bug.cgi?id=1572389> bug 1572389 (thanks :evilpie for working on it!). We're planning to flip this pref to false in <https://bugzilla.mozilla.org/show_bug.cgi?id=1572936> bug 1572936.
Marissa (Reese) Wood, PMP, CISSP | Cell Phone <tel:303-506-3282> 303-506-3282 | <mailto:re...@mozilla.com> re...@mozilla.com | Slack: #Marissa (Reese)
From: firefox-dev <firefox-d...@mozilla.org> On Behalf Of Johann Hofmann
Sent: Monday, August 12, 2019 10:05 AM
To: Firefox Dev <firef...@mozilla.org>
Cc: dev-platform <dev-pl...@lists.mozilla.org>; Wayne Thayer <wth...@mozilla.com>
Subject: Intent to Ship: Move Extended Validation Information out of the URL bar
In desktop Firefox 70, we intend to remove Extended Validation (EV) indicators from the identity block (the left hand side of the URL bar which is used to display security / privacy information). We will add additional EV information to the identity panel instead, effectively reducing the exposure of EV information to users while keeping it easily accessible.
Before:
After:
<https://lh5.googleusercontent.com/kL-WUskmTnKh4vepfU3cSID_ooTXNo9BvBOmIGR1RPvAN7PGkuPFLsSMdN0VOqsVb3sAjTsszn_3LjRf4Q8eoHtkrNWWmmxOo3jBRoEJV--XJndcXiCeTTAmE4MuEfGy8RdY_h5u>
The effectiveness of EV has been called into question numerous times over the last few years, there are serious doubts whether users notice the absence of positive security indicators and proof of concepts have been <https://www.typewritten.net/writer/ev-phishing/> pitting EV against domains for phishing.
More recently, it has been <https://stripe.ian.sh/> shown that EV certificates with colliding entity names can be generated by choosing a different jurisdiction. 18 months have passed since then and no changes that address this problem have been identified.
The Chrome team recently removed EV indicators from the URL bar in Canary and announced <https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/h1bTcoTpfeI> their intent to ship this change in Chrome 77. Safari is also no longer showing the EV entity name instead of the domain name in their URL bar, distinguishing EV only by the green color. Edge is also no longer showing the EV entity name in their URL bar.
On our side a pref for this (security.identityblock.show_extended_validation) was added in <https://bugzilla.mozilla.org/show_bug.cgi?id=1572389> bug 1572389 (thanks :evilpie for working on it!). We're planning to flip this pref to false in <https://bugzilla.mozilla.org/show_bug.cgi?id=1572936> bug 1572936.
Dão Gottwald
Aug 14, 2019, 7:52:05 AM8/14/19
to Johann Hofmann, Firefox Dev, dev-platform, Wayne Thayer
Are we going to remove support for this pref in a subsequent release?
Am Mo., 12. Aug. 2019 um 10:05 Uhr schrieb Johann Hofmann <
jhof...@mozilla.com>:
> In desktop Firefox 70, we intend to remove Extended Validation (EV)
> indicators from the identity block (the left hand side of the URL bar which
> is used to display security / privacy information). We will add additional
> EV information to the identity panel instead, effectively reducing the
> exposure of EV information to users while keeping it easily accessible.
>
> Before:
>
>
> After:
> phishing.
>
> More recently, it has been shown <https://stripe.ian.sh/> that EV
> <https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/h1bTcoTpfeI>.
> firefox-dev mailing list
> firef...@mozilla.org
> https://mail.mozilla.org/listinfo/firefox-dev
>
Am Mo., 12. Aug. 2019 um 10:05 Uhr schrieb Johann Hofmann <
jhof...@mozilla.com>:
> In desktop Firefox 70, we intend to remove Extended Validation (EV)
> indicators from the identity block (the left hand side of the URL bar which
> is used to display security / privacy information). We will add additional
> EV information to the identity panel instead, effectively reducing the
> exposure of EV information to users while keeping it easily accessible.
>
> Before:
>
>
>
>
> The effectiveness of EV has been called into question numerous times over
> the last few years, there are serious doubts whether users notice the
>
> The effectiveness of EV has been called into question numerous times over
> the last few years, there are serious doubts whether users notice the
> absence of positive security indicators and proof of concepts have been pitting
> EV against domains <https://www.typewritten.net/writer/ev-phishing/> for
> phishing.
>
> More recently, it has been shown <https://stripe.ian.sh/> that EV
> certificates with colliding entity names can be generated by choosing a
> different jurisdiction. 18 months have passed since then and no changes
> that address this problem have been identified.
>
> The Chrome team recently removed EV indicators from the URL bar in Canary
> and announced their intent to ship this change in Chrome 77
> different jurisdiction. 18 months have passed since then and no changes
> that address this problem have been identified.
>
> The Chrome team recently removed EV indicators from the URL bar in Canary
> <https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/h1bTcoTpfeI>.
> Safari is also no longer showing the EV entity name instead of the domain
> name in their URL bar, distinguishing EV only by the green color. Edge is
> also no longer showing the EV entity name in their URL bar.
>
>
>
> On our side a pref for this
> name in their URL bar, distinguishing EV only by the green color. Edge is
> also no longer showing the EV entity name in their URL bar.
>
>
>
> On our side a pref for this
> (security.identityblock.show_extended_validation) was added in bug 1572389
> <https://bugzilla.mozilla.org/show_bug.cgi?id=1572389> (thanks :evilpie
> for working on it!). We're planning to flip this pref to false in bug
> 1572936 <https://bugzilla.mozilla.org/show_bug.cgi?id=1572936>.
>
> <https://bugzilla.mozilla.org/show_bug.cgi?id=1572389> (thanks :evilpie
> for working on it!). We're planning to flip this pref to false in bug
> 1572936 <https://bugzilla.mozilla.org/show_bug.cgi?id=1572936>.
>
> Please let us know if you have any questions or concerns,
>
> Wayne & Johann
> _______________________________________________
>
> Wayne & Johann
> firefox-dev mailing list
> firef...@mozilla.org
> https://mail.mozilla.org/listinfo/firefox-dev
>
Eric Shepherd (Sheppy)
Aug 21, 2019, 1:40:09 PM8/21/19
to Johann Hofmann, Firefox Dev, Wayne Thayer, dev-platform
I’m glad to hear it; the presence of the EV indicator often occupied so
much space that the URL bar would become practically unusable. Example
attached.
On August 12, 2019 at 4:05:09 AM, Johann Hofmann (jhof...@mozilla.com)
wrote:
The Chrome team recently removed EV indicators from the URL bar in Canary
and announced their intent to ship this change in Chrome 77
<https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/h1bTcoTpfeI>.
Safari is also no longer showing the EV entity name instead of the domain
name in their URL bar, distinguishing EV only by the green color. Edge is
also no longer showing the EV entity name in their URL bar.
Eric Shepherd
Senior Technical Writer
MDN Web Docs <https://developer.mozilla.org/>
Blog: https://www.bitstampede.com/
much space that the URL bar would become practically unusable. Example
attached.
On August 12, 2019 at 4:05:09 AM, Johann Hofmann (jhof...@mozilla.com)
wrote:
The Chrome team recently removed EV indicators from the URL bar in Canary
and announced their intent to ship this change in Chrome 77
<https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/h1bTcoTpfeI>.
Safari is also no longer showing the EV entity name instead of the domain
name in their URL bar, distinguishing EV only by the green color. Edge is
also no longer showing the EV entity name in their URL bar.
Senior Technical Writer
MDN Web Docs <https://developer.mozilla.org/>
Blog: https://www.bitstampede.com/
0 new messages