Firefox removes UI for site identity

[Paul Walsh]

Directly question for Mozilla.

Today, the website identity UI was removed from Firefox. “We" new it was coming. But millions of users didn’t.

Why wasn’t this mentioned in the release notes on the page that’s automatically opened following the update?

Someone might say “they didn’t know it was there anyway”. While this is true for the vast majority, it doesn’t answer my question. And it’s not 100% accurate for every user of Firefox.

It’s significant enough to warrant being mentioned in my opinion. And a blog post doesn’t count.

Thanks,
- Paul

[Johann Hofmann]

Hi Paul,

thanks for the heads up. This wasn't intentional and I've reached out to
get the security UI changes added to the release notes for 70. You're right
that this is significant enough to be included. The page should be updated
very soon, so that most users will see the new version (due to throttled
rollouts and a general delay in users updating).

Cheers,

Johann

> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>

[Paul Walsh]

Thanks Johann. Much appreciated. Would you be kind enough to email me a screen shot to save me the trouble of installing an older version and then waiting for an update? :)

Thanks,
- Paul

> On Oct 22, 2019, at 1:29 PM, Johann Hofmann <jhof...@mozilla.com> wrote:
>
> Hi Paul,
>
> thanks for the heads up. This wasn't intentional and I've reached out to get the security UI changes added to the release notes for 70. You're right that this is significant enough to be included. The page should be updated very soon, so that most users will see the new version (due to throttled rollouts and a general delay in users updating).
>
> Cheers,
>
> Johann
>

> On Tue, Oct 22, 2019 at 9:06 PM Paul Walsh via dev-security-policy <dev-secur...@lists.mozilla.org <mailto:dev-secur...@lists.mozilla.org>> wrote:
> Directly question for Mozilla.
>
> Today, the website identity UI was removed from Firefox. “We" new it was coming. But millions of users didn’t.
>
> Why wasn’t this mentioned in the release notes on the page that’s automatically opened following the update?
>
> Someone might say “they didn’t know it was there anyway”. While this is true for the vast majority, it doesn’t answer my question. And it’s not 100% accurate for every user of Firefox.
>
> It’s significant enough to warrant being mentioned in my opinion. And a blog post doesn’t count.
>
> Thanks,
> - Paul
>
> _______________________________________________
> dev-security-policy mailing list

> dev-secur...@lists.mozilla.org <mailto:dev-secur...@lists.mozilla.org>
> https://lists.mozilla.org/listinfo/dev-security-policy <https://lists.mozilla.org/listinfo/dev-security-policy>

[Kirk Hall]

I also have a question for Mozilla on the removal of the EV UI. This issue started with a posting by Mozilla on August 12, but despite 237 subsequent postings from many members of the Mozilla community, I don't think Mozilla staff ever responded to anything or anyone - not to explain or justify the decision, not to argue. Just silence.

So my question to Mozilla is, why did Mozilla post this as a subject on the mozilla.dev.security.policy list if it didn't plan to interact with members of the community who took the time to post responses?

In the future, if Mozilla has already made up its mind and is not interested in hearing back from the community, it might be better NOT to start a discussion on the list soliciting feedback.

[Wayne Thayer]

On Tue, Oct 22, 2019 at 1:38 PM Paul Walsh via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:

> Thanks Johann. Much appreciated. Would you be kind enough to email me a
> screen shot to save me the trouble of installing an older version and then
> waiting for an update? :)
>
>

You can find the (now updated) release notes at
https://www.mozilla.org/en-US/firefox/70.0/releasenotes/

- Wayne

[Matt Palmer]

On Tue, Oct 22, 2019 at 03:35:52PM -0700, Kirk Hall via dev-security-policy wrote:
> I also have a question for Mozilla on the removal of the EV UI.

This is a mischaracterisation. The EV UI has not been removed, it has been
moved to a new location.

> So my question to Mozilla is, why did Mozilla post this as a subject on
> the mozilla.dev.security.policy list if it didn't plan to interact with
> members of the community who took the time to post responses?

What leads you to believe that Mozilla didn't plan to interact with members
of the community? It is entirely plausible that if any useful responses
that warranted interaction were made, interaction would have occurred.

I don't believe that Mozilla is obliged to respond to people who have
nothing useful to contribute, and who don't accurately describe the change
being made.

> This issue started with a posting by Mozilla on August 12, but despite 237
> subsequent postings from many members of the Mozilla community, I don't
> think Mozilla staff ever responded to anything or anyone - not to explain
> or justify the decision, not to argue. Just silence.

I think the decision was explained and justified in the initial
announcement. No information that contradicted the provided justification
was presented, so I don't see what argument was required.

> In the future, if Mozilla has already made up its mind and is not
> interested in hearing back from the community, it might be better NOT to
> start a discussion on the list soliciting feedback.

Soliciting feedback and hearing back from the community does not require
response from Mozilla, merely reading. Do you have any evidence that
Mozilla staff did not, in fact, read the feedback that was given?

- Matt

[Wayne Thayer]

The primary purpose of forwarding the Intent to Ship email to this list was
to inform the community of this planned change and the reasoning behind it.
Mozilla considered lots of information prior to announcing the change, and
during the vigorous debate that ensued, we continued to listen without
taking sides. In the end, the discussion and information presented did not
compel us to change our decision.

> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org

> https://lists.mozilla.org/listinfo/dev-security-policy
>

[Phillip Hallam-Baker]

On Tue, Oct 22, 2019 at 7:49 PM Matt Palmer via dev-security-policy <

If you are representing yourselves as having an open process, the lack of
response on the list does undermine that claim. The lack of interaction on
that particular topic actually speaks volumes.

Both parties in Congress have already signalled that they intend to go
after 'big tech'. Security is an obvious issue to focus on. While it is
unlikely Mozilla will be a target of those discussions, Google certainly is
and one employee in particular.

This is the point at which the smart people are going to lawyer up.

[Jakob Bohm]

On 23/10/2019 01:49, Matt Palmer wrote:
> On Tue, Oct 22, 2019 at 03:35:52PM -0700, Kirk Hall via dev-security-policy wrote:
>> I also have a question for Mozilla on the removal of the EV UI.
>
> This is a mischaracterisation. The EV UI has not been removed, it has been
> moved to a new location.
>

It was moved entirely off screen, and replaced with very subtle
differences in the contents of a pop-up.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

[Paul Walsh]

On Oct 22, 2019, at 4:49 PM, Matt Palmer via dev-security-policy <dev-secur...@lists.mozilla.org> wrote:
>
> On Tue, Oct 22, 2019 at 03:35:52PM -0700, Kirk Hall via dev-security-policy wrote:
>> I also have a question for Mozilla on the removal of the EV UI.
>
> This is a mischaracterisation. The EV UI has not been removed, it has been
> moved to a new location.

[PW] Technically, I think you are both correct Matt. Please allow me to provide an analogy to explain why I say "removed" instead of "moved".

If an owner puts up a sign in their store window that says “we have moved to…” customers will know they have “moved". But if the owner vacates the premises without notice, customers will naturally assume it has closed down (i.e. removed). A few might go looking for them. But most won’t.

I personally use the term “removed” because Mozilla hasn’t actually signposted the changes anywhere. The original UI and UX was poor, which is why most people don’t know the difference between EV and DV icons. Instead of making it better, they made it much worse.

The team didn’t even include the update in the release notes until I brought it to their attention. Even then it’s not in plain English - using the term “EV” instead of "website identity” just shows how badly they have always communicated the meaning of the UI to consumers. But what’s the point in debating that. The horse has bolted.

Mozilla did however, take great care in educating users about the new tracking features and new UI. This only helps to demonstrate that it’s possible to educate users about a new feature or UI implementation for identity. But again, I digress. So we’ll just keep this as a receipt to prove that browser vendors believe it’s possible to train users to look for new visual indicators - contrary to what they say about identity information.

>
>> So my question to Mozilla is, why did Mozilla post this as a subject on
>> the mozilla.dev.security.policy list if it didn't plan to interact with
>> members of the community who took the time to post responses?
>
> What leads you to believe that Mozilla didn't plan to interact with members
> of the community? It is entirely plausible that if any useful responses
> that warranted interaction were made, interaction would have occurred.
>
> I don't believe that Mozilla is obliged to respond to people who have
> nothing useful to contribute, and who don't accurately describe the change
> being made.

[PW] I agree and disagree. I agree, because Mozilla is not obliged to do anything it doesn’t want to do. It’s not obliged to engage with the community. It’s not obliged to engage with anyone it doesn’t want to.

I disagree because no company, especially an open source, community driven foundation, should make changes that upset important stakeholders. Aside from the bad karma, it is poor product management. Perhaps the lack of community engagement in recent times is part of the reason for losing market share? Who knows. Either way it can be made better. I personally love the brand and what it stands for.

>
>> This issue started with a posting by Mozilla on August 12, but despite 237
>> subsequent postings from many members of the Mozilla community, I don't
>> think Mozilla staff ever responded to anything or anyone - not to explain
>> or justify the decision, not to argue. Just silence.
>
> I think the decision was explained and justified in the initial
> announcement. No information that contradicted the provided justification
> was presented, so I don't see what argument was required.

[PW] This is not a good way to build a product. I and many others called Mozilla out for making poor decisions around it’s OS and mobile browser strategies (lack of). So it’s possible for browser vendors to get big things very wrong.

>
>> In the future, if Mozilla has already made up its mind and is not
>> interested in hearing back from the community, it might be better NOT to
>> start a discussion on the list soliciting feedback.
>
> Soliciting feedback and hearing back from the community does not require
> response from Mozilla, merely reading. Do you have any evidence that
> Mozilla staff did not, in fact, read the feedback that was given?

[PW] If true, this is no longer the Mozilla that my team contributed to. As one of the first 50 contributors to Mozilla, my COO helped to build the Firefox developer evangelist community and he built spreadfirefox .com - my engineers contributed to Firefox code too. I don’t ever recall witnessing anyone use the words you chose to describe how the team should behave. Perhaps your words reflect current thinking…

- Paul

[Daniel Marschall]

> On Tue, Oct 22, 2019 at 03:35:52PM -0700, Kirk Hall via dev-security-policy wrote:
>
> This is a mischaracterisation. The EV UI has not been removed, it has been
> moved to a new location.
>

That's like, when I throw something away, I didn't actually threw it away, I just moved it to a new location (the bin).

[Eric Mill]

Phillip, that was an unprofessional contribution to this list, that could
be read as a legal threat, and could contribute to suppressing dialogue
within this community. And, given that the employee to which it is clear
you are referring is not only a respected community member, but literally a
peer of the Mozilla Root Program, it is particularly unhelpful to Mozilla's
basic operations.

On Wed, Oct 23, 2019 at 10:33 AM Phillip Hallam-Baker via
dev-security-policy <dev-secur...@lists.mozilla.org> wrote:

> On Tue, Oct 22, 2019 at 7:49 PM Matt Palmer via dev-security-policy <
> dev-secur...@lists.mozilla.org> wrote:
>
> > On Tue, Oct 22, 2019 at 03:35:52PM -0700, Kirk Hall via
> > dev-security-policy wrote:

> > > I also have a question for Mozilla on the removal of the EV UI.
> >

> > This is a mischaracterisation. The EV UI has not been removed, it has
> been
> > moved to a new location.
> >

> > > So my question to Mozilla is, why did Mozilla post this as a subject on
> > > the mozilla.dev.security.policy list if it didn't plan to interact with
> > > members of the community who took the time to post responses?
> >
> > What leads you to believe that Mozilla didn't plan to interact with
> members
> > of the community? It is entirely plausible that if any useful responses
> > that warranted interaction were made, interaction would have occurred.
> >
> > I don't believe that Mozilla is obliged to respond to people who have
> > nothing useful to contribute, and who don't accurately describe the
> change
> > being made.
> >

> > > This issue started with a posting by Mozilla on August 12, but despite
> > 237
> > > subsequent postings from many members of the Mozilla community, I don't
> > > think Mozilla staff ever responded to anything or anyone - not to
> explain
> > > or justify the decision, not to argue. Just silence.
> >
> > I think the decision was explained and justified in the initial
> > announcement. No information that contradicted the provided
> justification
> > was presented, so I don't see what argument was required.
> >

> > > In the future, if Mozilla has already made up its mind and is not
> > > interested in hearing back from the community, it might be better NOT
> to
> > > start a discussion on the list soliciting feedback.
> >
> > Soliciting feedback and hearing back from the community does not require
> > response from Mozilla, merely reading. Do you have any evidence that
> > Mozilla staff did not, in fact, read the feedback that was given?
> >
>

> If you are representing yourselves as having an open process, the lack of
> response on the list does undermine that claim. The lack of interaction on
> that particular topic actually speaks volumes.
>
> Both parties in Congress have already signalled that they intend to go
> after 'big tech'. Security is an obvious issue to focus on. While it is
> unlikely Mozilla will be a target of those discussions, Google certainly is
> and one employee in particular.
>
> This is the point at which the smart people are going to lawyer up.

> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>

--
Eric Mill
617-314-0966 | konklone.com | @konklone <https://twitter.com/konklone>

[Phillip Hallam-Baker]

Eric,

I am not going to be gaslighted here.

Just what was your email supposed to do other than "suppressing dialogue
within this community"?

I was making no threat, but if I was still working for a CA, I would
certainly get the impression that you were threatening me.

The bullying and unprofessional behavior of a certain individual is one of
the reasons I have stopped engaging in CABForum, an organization I
co-founded. My contributions to this industry began in 1992 when I began
working on the Web with Tim Berners-Lee at CERN.


The fact that employees who work on what is the third largest browser also
participate in the technical and policy discussions of the third largest
browser which is also the only multi-party competitor should be a serious
concern to Google and Mozilla. It is a clear anti-Trust liability to both
concerns. People here might think that convenient, but it is not the sort
of arrangement I for one would like to be having to defend in Congressional
hearings.

As I said, I do not make threats. My concern here is that we have lost
public confidence. We are no longer the heroes we once were and politicians
in your own party are now running against 'Big Tech'. We already had DoH
raised in the House this week and there is more to come. We have six months
at most to put our house in order.

[Paul Walsh]

On Oct 24, 2019, at 12:36 PM, Phillip Hallam-Baker via dev-security-policy <dev-secur...@lists.mozilla.org> wrote:
>
> Eric,
>
> I am not going to be gaslighted here.
>
> Just what was your email supposed to do other than "suppressing dialogue
> within this community"?
>
> I was making no threat, but if I was still working for a CA, I would
> certainly get the impression that you were threatening me.
>
> The bullying and unprofessional behavior of a certain individual is one of
> the reasons I have stopped engaging in CABForum, an organization I
> co-founded. My contributions to this industry began in 1992 when I began
> working on the Web with Tim Berners-Lee at CERN.
>
>
> The fact that employees who work on what is the third largest browser also
> participate in the technical and policy discussions of the third largest
> browser which is also the only multi-party competitor should be a serious
> concern to Google and Mozilla. It is a clear anti-Trust liability to both
> concerns. People here might think that convenient, but it is not the sort
> of arrangement I for one would like to be having to defend in Congressional
> hearings.
>
> As I said, I do not make threats. My concern here is that we have lost
> public confidence. We are no longer the heroes we once were and politicians
> in your own party are now running against 'Big Tech'. We already had DoH
> raised in the House this week and there is more to come. We have six months
> at most to put our house in order.

[PW] +1 on everything said by Phil. I particularly like "We are no longer the heroes we once were”. The fact that Phil stopped contributing to the CABForum due to one bully means industry loses out - I’ve noticed a massive decline in participation from many members - some of them for the same reason as I told me in private.

I’d like to add that I’ve only met Phil once, when we were both speakers at the W3C WWW2006 conference. I showed him a Firefox add-on with visual indicators for search engines, and he explained to me the concept of a URL bar that would turn green (set aside accessibility challenges with color-only for now) so users can avoid counterfeit websites. I was blown away by the idea and by the possible implementations with browsers. How could a user possibly fall for a deceptive website?! It’s ***2019*** and people falling for deceptive websites and dangerous URIs is the #1 problem in cybersecurity - and it’s getting worse.

But alas, browser vendors didn’t design the UI/UX in the way it was expected. And instead of iterating the UI/UX based on user feedback until product/market fit was achieved, vendors decided to remove it all. And instead of looking inward to see what they could have done better, they blame the companies that simply provided the information for them to displayed in their UI.

There is zero data from any company to prove that browser UI for website identity can’t work. I could write a white paper on why it didn’t work and why it can’t work based on how it *was* implemented. This is not research - this is confirmation bias. There isn’t a single successful product or feature that didn’t require iteration.

So, the next time a person says “EV is broken” or “website identity can’t work” please think about what I just said and imagine actual browser designers and developers who were/are responsible for that work. They were never given a chance to get it right.

I don’t work for a CA and never have. But I’m sick and tired of the bullying tactics from some individuals who work for major players - it’s toxic. *Not* referring to you Eric :)

If we want to discuss CA marketing/sales and verification processes then let’s do that - *separate* to browser UI implementations.

And here’s what’s almost funny, we’re going to see the very same mistakes made for email. Everyone involved in BIMI [1] asserts that it has nothing to do with security - it’s all about marketing. Yet almost everything in regards to benefits and execution is security related. There about to make all the same silly mistakes over again.

https://bimigroup.org <https://bimigroup.org/>

Regards,

- Paul

[Julien Vehent]

On Thursday, October 24, 2019 at 5:31:59 PM UTC-4, Paul Walsh wrote:
> There is zero data from any company to prove that browser UI for website identity can’t work.

https://www.adambarth.com/papers/2007/jackson-simon-tan-barth.pdf

"In this paper, we presented a controlled between-subjects evaluation of the extended validation user interface in Internet Explorer 7. Unfortunately, participants who received no training in browser security features did not notice the extended validation indicator and did not outperform the control group."

https://storage.googleapis.com/pub-tools-public-publication-data/pdf/400599205ab5a1c9efa03e2a7c127eb8200bf288.pdf

"We conclude that modern browser identity indicators are not effective. To design better identity indicators, we recommend that browsers consider focusing on active negative indicators, explore using prominent UI as an opportunity for user education, and incorporate user research into the design phase."

And more at https://chromium.googlesource.com/chromium/src/+/HEAD/docs/security/ev-to-page-info.md


- Julien

[Phillip Hallam-Baker]

On Thu, Oct 24, 2019 at 5:31 PM Paul Walsh <pa...@metacert.com> wrote:

> So, the next time a person says “EV is broken” or “website identity can’t
> work” please think about what I just said and imagine actual browser
> designers and developers who were/are responsible for that work. They were
> never given a chance to get it right.
>

The point I wanted to bring to people's attention here is that the world
has moved on since. At the present moment we are engaged in a political
crisis on both sides of the Atlantic. Those are the particular issues on
which I have been focused and those are the issues that I expect will be my
primary concern for a few months longer.

But one way or another, those issues will eventually be resolved. And as
soon as that happens, the blamestorming will begin. And once they have run
out of the guilty, they will be going after the innocent (as of course will
the people who were also guilty hoping to deflect attention from their own
culpability). And who else is there going to be left to blame who is
withing reach apart from 'BigTech'?

The security usability approach of the 1990s doesn't work any more. We
don't need people to tell us what doesn't work, we need people who are
committed to making it work.

The brief here is how to provide people with a way that they can be safe on
the Internet that they can use. That includes providing them with a means
of being able to tell a fake site from a real one. That also includes the
entirely separate problem of how to prevent phishing type attacks.


And one of the things we need to start doing is being honest about what the
research actually shows. From the paper cited by Julien.

" The participants who were asked to read the Internet Explorer help file
were more likely to classify both real and fake sites as legitimate
whenever the phishing warning did not appear."

This is actually the exact opposite of the misleading impression he gave of
the research.

The green bar is not enough, I never expected it to be. To be successful,
the green bar required the browser providers to provide a consistent UI
that users could rely on and explain what it means. It seems that every day
I am turning on a device or starting an app only to be told it has updated
and they want to tell me about some new feature they have added. Why is it
only the features that the providers want to tell me about get that
treatment? Why not also use it to tell people how to be safe.

[Paul Walsh]

> On Oct 24, 2019, at 2:59 PM, Julien Vehent via dev-security-policy <dev-secur...@lists.mozilla.org> wrote:
>
> On Thursday, October 24, 2019 at 5:31:59 PM UTC-4, Paul Walsh wrote:

>> There is zero data from any company to prove that browser UI for website identity can’t work.
>

> https://www.adambarth.com/papers/2007/jackson-simon-tan-barth.pdf

I’ve read this. It’s 13 years old! And consisted of 27 users broken into groups. I’m surprised that’s being cited as meaningful research/data in 2019. Some participants here weren’t even out of high school back then. I’m jealous.

I don’t know if you read our findings already Julien [1] but we conducted the same research with 85,000 active users over a period of 12 months - Chrome, Brave, Firefox and Opera. I have documented the entire process along with the method used to determine whether or not the visual indicator had achieved product/market fit. Our research started in December 2017 and lasted more than a year. This same software is now being sold into businesses of different sizes. Since it was first released, we have had zero victims of a deceptive website. And according to our MSP partners, their support calls and emails are massively reduced because when relying on the visual indicator we designed, they are less likely to report “suspicious” emails or websites.

It’s by no means perfect, but when a popular crypto DNS was compromised we changed the classification so it was immediately blocked. This is an edge case that requires more work.

For context, my engineers were the same people who built the official browser add-ons for digg, Delicious, Yahoo!, eBay, PayPal, Google and Microsoft. They contributed to Firefox bug fixing and my COO started the Firefox developer evangelist community. Our first API for child safety was supposed to be integrated with Firefox but weirdly one engineer thought it was censoring the web so Chris Hoffman, Mitch and others decided not to proceed.

So, we’re a tiny player, but there are fewer people with more experience in browser software, visual indicators and URL Classification. This doesn’t mean we’re more right - it just means that our assertions should be taken seriously and not disregarded as “vendor marketing”.

We also built the first ever security integration for native email clients - here’s a video demo of link annotation for the Apple Mail client https://www.youtube.com/watch?v=elutAAsboyE - visual indicators can and do work when done well.

It was very easy for us to educate users of the visual indicators and it was/is easy for them to rely on them. Similar to how I suspect you want users to rely on your new UI for tracking. We didn’t even have a website for this product until about 3 weeks ago and our on boarding sucks right now.

I would urge you to read about this and feel free to ask me any question you like in public or private. Please, when you read it though, assume that I love https, free dv certs, the lock and encryption - my article talks about the downside in regards to “how” these are being implemented.

Furthermore, my R&D into visual indicators started in 2004 - before EV was even considered by its creators. Every member of the W3C Semantic Web Education & Outreach Program (of which I was a member) voted our ‘proof of concept’ add-on as one of the most compelling implementations of the Semantic Web https://www.w3.org/2001/sw/sweo/public/UseCases/Segala/ <https://www.w3.org/2001/sw/sweo/public/UseCases/Segala/> I’m highlighting this because the data/research we did back then isn’t relevant today - just like the research you refer to isn’t relevant today in my opinion.

Timing and market conditions is everything. In my article I also draw conclusions about the relationship between phishing and the other components mentioned - using a massive number of data points from various cybersecurity companies that face these problems daily.

>
> "In this paper, we presented a controlled between-subjects evaluation of the extended validation user interface in Internet Explorer 7. Unfortunately, participants who received no training in browser security features did not notice the extended validation indicator and did not outperform the control group.”

If this was true, no browser vendor would be able to release new features for anything. That said, browser settings is generally where UX goes to die a slow death. But some browser vendors do some things very well - Firefox tracking is good. Brave “shields" is probably the best implementation of anti-tracking I’ve seen because it’s the main utility.

>
> https://storage.googleapis.com/pub-tools-public-publication-data/pdf/400599205ab5a1c9efa03e2a7c127eb8200bf288.pdf
>
> "We conclude that modern browser identity indicators are not effective. To design better identity indicators, we recommend that browsers consider focusing on active negative indicators, explore using prominent UI as an opportunity for user education, and incorporate user research into the design phase."
>
> And more at https://chromium.googlesource.com/chromium/src/+/HEAD/docs/security/ev-to-page-info.md

[PW] More of the same I’m afraid. Both research and implementation of website identity has been executed poorly to say the least. This is pretty much all I’ve been working on since I co-instigated the creation of the W3C Recommendation for URL Classification that replaced PiCS in 2009. Our original motivation was to help people with disabilities find search results that contained links to sites that were accessible to them based on their user profiles.

I digress. But that’s where my research started - my first company provided a trustmark to companies that complied with W3C WCAG. When we contributed to those specs we found that websites which complied with the categories, it didn’t really help real users who have different requirements. OK now I’m really digressing :-)

[1] https://casecurity.org/2019/10/10/the-insecure-elephant-in-the-room/ <https://casecurity.org/2019/10/10/the-insecure-elephant-in-the-room/>

- Paul

>
>
> - Julien

[Peter Gutmann]

Paul Walsh via dev-security-policy <dev-secur...@lists.mozilla.org> writes:

>we conducted the same research with 85,000 active users over a period of
>12 months

As I've already pointed out weeks ago when you first raised this, your
marketing department conducted a survey of EV marketing effectiveness. If
you have a refereed, peer-reviewed study published at a conference or in
an academic journal, please reference it, not a marketing survey
masquerading as a "study".

A second suggestion, if you don't want to publish any research (by which I
mean real research, not rent-seeking CA marketing) supporting your position,
is that you fork Firefox - it is after all an open-source product - add
whatever EV UI you like to it, and publish it as an alternative to Firefox.
If your approach works as you claim, it'll be so obviously superior to
Firefox that everyone will go with your fork rather than the original.

For everyone else who feels this interminable debate has already gone on
far too long and I'm not helping it, yeah, sorry, I'd consigned the thread
to the spam folder for awhile, had a brief look back, and saw this, which
indicates it's literally gone nowhere in about a month.

I can see why Mozilla avoided this endless broken-record discussion, it's
not contributing anything but just going round and round in circles.

Peter.

[Paul Walsh]

> On Oct 24, 2019, at 6:53 PM, Peter Gutmann <pgu...@cs.auckland.ac.nz> wrote:
>
> Paul Walsh via dev-security-policy <dev-secur...@lists.mozilla.org> writes:
>
>> we conducted the same research with 85,000 active users over a period of
>> 12 months
>
> As I've already pointed out weeks ago when you first raised this, your
> marketing department conducted a survey of EV marketing effectiveness.

[PW] With respect Peter, you articulate your opinion doesn’t make it a matter of fact. Read the article properly and you will see that it’s not from a marketing department. It’s a small startup that wanted to conduct a social experiment.

> If
> you have a refereed, peer-reviewed study published at a conference or in
> an academic journal, please reference it, not a marketing survey
> masquerading as a "study”.

Rubbish. We don’t need to publish at a conference or in an academic journal for it to demonstrate a point. If *you* don’t want to trust it, that’s ok. I don’t expect everyone to trust everything that is written.

As Homer Simpson said; “70% of all reports are made up”.

Our work is not marketing - you obviously didn’t read the methodology and the reasons or you wouldn’t make such silly comments.

>
> A second suggestion, if you don't want to publish any research (by which I
> mean real research, not rent-seeking CA marketing) supporting your position,

Did you read any of the words I wrote? I’ve said more than once that I don’t work for a CA - never have. You’re obviously a CA-hater and hate everything that’s ever discussed about website identity. Haters are gonna hate. I couldn’t be more impartial.

> is that you fork Firefox - it is after all an open-source product - add
> whatever EV UI you like to it, and publish it as an alternative to Firefox.
> If your approach works as you claim, it'll be so obviously superior to
> Firefox that everyone will go with your fork rather than the original.

Another weird comment. Forking code and building products doesn’t mean people will use it. I have nothing to prove to anyone. If all the browser vendors did as I suggest it would mean there’s no need for our flagship product. So how on earth could I be biased. My commentary or counter productive for my shareholders and team. But I care about what’s in the best of industry. You clearly don’t because you need to have the word “Google” or “Stanford” stamped on a PDF. None of the authors of any of those documents come close to the level of experience that my team and I have - including our industry contributions. I was the first person to ever re-write Tim Berner’s Lee’s vision of the “one web” when I co-founded the Mobile Web Initiative. I shouldn’t have to throw these things around just to appease you. Do your research if you actually care.

>
> For everyone else who feels this interminable debate has already gone on
> far too long and I'm not helping it, yeah, sorry, I'd consigned the thread
> to the spam folder for awhile, had a brief look back, and saw this, which
> indicates it's literally gone nowhere in about a month.

Go play in your spam folder for a little longer because I’m done responding to your insults. You didn’t question anything outside our intent which is to question my integrity. I won’t accept that - it’s as insulting as it gets.

>
> I can see why Mozilla avoided this endless broken-record discussion, it's
> not contributing anything but just going round and round in circles.

It’s going around in circles because you refuse to take the time and effort to read what has been written. Instead, you assume we have ulterior motives. As I’ve said, my motives are not necessarily in the best interest of my company.

- Paul

>
> Peter.

[Paul Walsh]

Apologies for the massive number of typos. I was angry when I read the response to my thoughtful messages. I tried my best to hold back. I didn’t even have the energy to check what I’d written before hitting send.

[Phillip Hallam-Baker]

On Thu, Oct 24, 2019 at 9:54 PM Peter Gutmann via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:

> Paul Walsh via dev-security-policy <dev-secur...@lists.mozilla.org>
> writes:
>
> >we conducted the same research with 85,000 active users over a period of
> >12 months
>
> As I've already pointed out weeks ago when you first raised this, your

> marketing department conducted a survey of EV marketing effectiveness. If

> you have a refereed, peer-reviewed study published at a conference or in
> an academic journal, please reference it, not a marketing survey
> masquerading as a "study".

There are certainly problems with doing usability research. But right now
there is very little funding for academic studies that are worth reading.

You didn't criticize the paper with 27 subjects split into three groups
from 2007. Nor did you criticize the fact that the conclusions were totally
misrepresented.

So it doesn't appear to be spurious research that you have a problem with
or the misrepresentation of the results. What you seem to have a problem
with is the conclusions.

At least with 85,000 subjects there is some chance that Paul himself has
found out something of interest. That doesn't mean that we have to accept
his conclusions as correct, or incontrovertible but I think it does mean
that he deserves to be treated with respect.
I am not at all happy with the way this discussion has gone. It seems that
contrary to the claims of openness, Mozilla has a group think problem. For
some reason it is entirely acceptable to attack CAs for any reason and with
the flimsiest of evidence.

[James Burton]

Extended validation was introduced at a time when mostly everyone browsed
the internet using low/medium resolution large screen devices that provided
the room for an extended validation style visual security indicator .
Everything has moved on and purchases are made on small screen devices that
has no room to support an extended validation style visual security
indicator. Apple supported extended validation style visual security
indicator in iOS browser and it failed [1] [2].

It's right that we are removing the extended validation style visual
security indicator from browsers because of a) the above statement b)
normal users don't understand extended validation style visual security
indicators c) the inconsistencies of extended validation style visual
security indicator between browsers d) users can't tell who is real or not
based on extended validation style visual security indicators as company
names sometimes don't match the actual site name.

[1] https://www.typewritten.net/writer/ev-phishing
[2] https://stripe.ian.sh

Thank you

Burton

[Phillip Hallam-Baker]

On Fri, Oct 25, 2019 at 4:21 AM James Burton <j...@0.me.uk> wrote:

> Extended validation was introduced at a time when mostly everyone browsed
> the internet using low/medium resolution large screen devices that provided
> the room for an extended validation style visual security indicator .
> Everything has moved on and purchases are made on small screen devices that
> has no room to support an extended validation style visual security
> indicator. Apple supported extended validation style visual security
> indicator in iOS browser and it failed [1] [2].
>
> It's right that we are removing the extended validation style visual
> security indicator from browsers because of a) the above statement b)
> normal users don't understand extended validation style visual security
> indicators c) the inconsistencies of extended validation style visual
> security indicator between browsers d) users can't tell who is real or not
> based on extended validation style visual security indicators as company
> names sometimes don't match the actual site name.
>
> [1] https://www.typewritten.net/writer/ev-phishing
> [2] https://stripe.ian.sh
>

The original proposal that led to EV was actually to validate the company
logos and present them as logotype.
There was a ballot proposed here to bar any attempt to even experiment with
logotype. This was withdrawn after I pointed out to Mozilla staff that
there was an obvious anti-Trust concern in using the threat of withdrawing
roots from a browser with 5% market share to suppress deployment of any
feature.

Now for the record, that is what a threat looks like: we will destroy your
company if you do not comply with our demands. Asking to contact the
Mozilla or Google lawyers because they really need to know what one of
their employees is doing is not.

Again, the brief here is to provide security signals that allow the user to
protect themselves.


--
Website: http://hallambaker.com/

[Paul Walsh]

On Oct 25, 2019, at 7:56 AM, Phillip Hallam-Baker <hal...@gmail.com> wrote:

>
>
>
> On Fri, Oct 25, 2019 at 4:21 AM James Burton <j...@0.me.uk <mailto:j...@0.me.uk>> wrote:
> Extended validation was introduced at a time when mostly everyone browsed the internet using low/medium resolution large screen devices that provided the room for an extended validation style visual security indicator . Everything has moved on and purchases are made on small screen devices that has no room to support an extended validation style visual security indicator. Apple supported extended validation style visual security indicator in iOS browser and it failed [1] [2].

[PW] Phil knows more about the intent so I’ll defer to his response at the end of this thread. I would like to add that computer screens bigger than mobile devices aren’t going away. So focusing only on mobile isn’t a good idea.

Thanks for the constructive conversation James, finally :) But I don’t necessarily agree with your assertion about there being a lack of room to support identity. It all comes down to priority as you know. We could have said that Firefox mobile didn’t have enough room for tracking icons/settings before it was implemented - but because Mozilla feels this is important, they made the room. They made assertions about the lack of real estate for identity prior to implementing visual indicators for tracking.

Mozilla once asserted that it wouldn’t implement any filtering tools/preferences for any reason because it was considered “censorship”. They have clearly changed their position - thankfully, with the filters for trackers/ads.

Mozilla dropped its mobile browser strategy completely for a long period of time, but the team is now focused on mobile again. So things do change with time and realization of market conditions and mistakes. Everyone makes mistakes.

>
> It's right that we are removing the extended validation style visual security indicator from browsers because of a) the above statement b)

One could argue that there’s less room inside an app WebView - where there's so much inconsistency it hurts my head. Here’s an example of a design implementation that *might* work to help demonstrate my point about there being enough room - it’s not ideal but I only spent 5 minutes on it. [1]

> normal users don't understand extended validation style visual security indicators c)

Because they were never educated properly - UX sucked more than anything. But you don’t just remove something without iterating to achieve product/market fit. That’s what happened with identity.

> the inconsistencies of extended validation style visual security indicator between browsers d) users can't tell who is real or not based on extended validation style visual security indicators as company names sometimes don't match the actual site name.

I agree. This is why they should have been improved instead of removed. Mozilla will likely iterated the UI/UX around tracking to improve adoption.

Ian, like every other commentator I’ve read on this subject, say things that I agree with. But their conclusions and proposals are completely flawed in my opinion. As I’ve said before, you don’t just remove something that doesn’t see major adoption - you iterate/test. You’d only remove UI if you know for sure that it can’t be improved - there’s no data to suggest that any research was done around this. Mozilla have only supplied links to research that’s flawed and so old it’s useless. I’m blown away by their referencing research from more than 10 years ago. Some amazing people on this list weren’t even working with web tech back then.

>
> [1] https://www.typewritten.net/writer/ev-phishing <https://www.typewritten.net/writer/ev-phishing>
> [2] https://stripe.ian.sh <https://stripe.ian.sh/>
>

[PW] [1] https://imgur.com/Va4heuo

- Paul

> The original proposal that led to EV was actually to validate the company logos and present them as logotype.
> There was a ballot proposed here to bar any attempt to even experiment with logotype. This was withdrawn after I pointed out to Mozilla staff that there was an obvious anti-Trust concern in using the threat of withdrawing roots from a browser with 5% market share to suppress deployment of any feature.
>
> Now for the record, that is what a threat looks like: we will destroy your company if you do not comply with our demands. Asking to contact the Mozilla or Google lawyers because they really need to know what one of their employees is doing is not.
>
> Again, the brief here is to provide security signals that allow the user to protect themselves.
>
> --

> Website: http://hallambaker.com/ <http://hallambaker.com/>

[James Burton]

I took a look at your concept of an extended validation type visual
security indicator and the conclusion is that it doesn't provide any
assurance to the users that the website is vetted or trustworthy. This
concept is similar to the padlock visual security indicator and that too
doesn't provide any assurance to the users that the website is vetted or
trustworthy. The padlock visual security indicator only provides the user a
visual indication that the connection is encrypted.

Read Emily Stark's Twitter response regarding Chrome and the removal of the
padlock visual security indicator:
https://twitter.com/estark37/status/1183769863841386496?s=20

> normal users don't understand extended validation style visual security
>> indicators c)
>>
>
> Because they were never educated properly - UX sucked more than anything.
> But you don’t just remove something without iterating to achieve
> product/market fit. That’s what happened with identity.
>

Users shouldn't have to go through education lessons to recognise different
positive visual security indicators. Its a stupid idea.

Next stupid idea will be expecting users to go through a compulsory exam to
learn about the different positive visual security indicators.
If failed, they can't purchase goods online. If passed, they get a license
issued to allow them to purchase goods online.

Browsers iterating positive visual security indicators to achieve
product/market fit is another stupid idea. It's good for CAs profit
margins. It's bad for users as it will totally confuse them. Even if we did
go down this stupid path, how many times would browsers need to change the
visual security indicators to suit the CAs product?

> the inconsistencies of extended validation style visual security indicator
>> between browsers d) users can't tell who is real or not based on extended
>> validation style visual security indicators as company names sometimes
>> don't match the actual site name.
>>
>
> I agree. This is why they should have been improved instead of removed.
> Mozilla will likely iterated the UI/UX around tracking to improve adoption.
>

Above. Stupid idea.

>
> Ian, like every other commentator I’ve read on this subject, say things
> that I agree with. But their conclusions and proposals are completely
> flawed in my opinion. As I’ve said before, you don’t just remove something
> that doesn’t see major adoption - you iterate/test. You’d only remove UI if
> you know for sure that it can’t be improved - there’s no data to suggest
> that any research was done around this. Mozilla have only supplied links to
> research that’s flawed and so old it’s useless. I’m blown away by their
> referencing research from more than 10 years ago. Some amazing people on
> this list weren’t even working with web tech back then.
>

Extended validation isn't a new concept and it has been proven it has
failed.


>
>
>
>> [1] https://www.typewritten.net/writer/ev-phishing
>> [2] https://stripe.ian.sh
>>
>
>
>

[Paul Walsh]

> On Oct 28, 2019, at 2:12 PM, James Burton <j...@0.me.uk> wrote:
>
> [PW] Phil knows more about the intent so I’ll defer to his response at the end of this thread. I would like to add that computer screens bigger than mobile devices aren’t going away. So focusing only on mobile isn’t a good idea.
>
> Thanks for the constructive conversation James, finally :) But I don’t necessarily agree with your assertion about there being a lack of room to support identity. It all comes down to priority as you know. We could have said that Firefox mobile didn’t have enough room for tracking icons/settings before it was implemented - but because Mozilla feels this is important, they made the room. They made assertions about the lack of real estate for identity prior to implementing visual indicators for tracking.
>
> Mozilla once asserted that it wouldn’t implement any filtering tools/preferences for any reason because it was considered “censorship”. They have clearly changed their position - thankfully, with the filters for trackers/ads.
>
> Mozilla dropped its mobile browser strategy completely for a long period of time, but the team is now focused on mobile again. So things do change with time and realization of market conditions and mistakes. Everyone makes mistakes.
>
>>
>> It's right that we are removing the extended validation style visual security indicator from browsers because of a) the above statement b)
>
> One could argue that there’s less room inside an app WebView - where there's so much inconsistency it hurts my head. Here’s an example of a design implementation that *might* work to help demonstrate my point about there being enough room - it’s not ideal but I only spent 5 minutes on it. [1]
>
> I took a look at your concept of an extended validation type visual security indicator and the conclusion is that it doesn't provide any assurance to the users that the website is vetted or trustworthy. This concept is similar to the padlock visual security indicator and that too doesn't provide any assurance to the users that the website is vetted or trustworthy. The padlock visual security indicator only provides the user a visual indication that the connection is encrypted.

[PW] You’re getting hooked on an icon. Please don’t do that. I’m just showing you that it’s possible to find real estate. You said there was no room. I proved there is. So how about you either admit to being wrong, or explain why I’m wrong instead of commenting on the shape, size and color of an icon. I’m shrugging my shoulders at your reply.

Separately, this particular visual indicator worked and continues to work for us - but again, let’s not debate on the design elements.

>
> Read Emily Stark's Twitter response regarding Chrome and the removal of the padlock visual security indicator: https://twitter.com/estark37/status/1183769863841386496?s=20 <https://twitter.com/estark37/status/1183769863841386496?s=20>

>
>
>> normal users don't understand extended validation style visual security indicators c)
>
> Because they were never educated properly - UX sucked more than anything. But you don’t just remove something without iterating to achieve product/market fit. That’s what happened with identity.
>
> Users shouldn't have to go through education lessons to recognise different positive visual security indicators. Its a stupid idea.

[PW] So you dislike Mozilla’s implementation for the tracker icon in the address bar? When you update to 70.0 you’re prompted with an educational-type pop-out to draw your attention to the visual indicator. Do you think that’s a bad idea? Do you think users should just know how to use browser software?

>
> Next stupid idea will be expecting users to go through a compulsory exam to learn about the different positive visual security indicators.

[PW] That’s pretty insulting but I’ve come to expect that from people who disagree with me on this list. I don’t see anyone else contributing in any way, in regards to how we can address this problem through collaboration. All I hear is childish screaming; “EV is broken” - it’s like a broken record with zero data. We know old implementations were crap. But that’s like saying the first version of the seatbelt was flawed, so it shouldn’t’ have progressed through design iteration to make it work.

BW Brave has an indicator for shields - seems to work pretty well. That’s a type of security that requires user education. But with good UI/UX it’s possible to get it right - which is why I guess Brave is taking market share from Firefox and Chrome and will continue to do so as it does some things better.

> If failed, they can't purchase goods online. If passed, they get a license issued to allow them to purchase goods online.
>
> Browsers iterating positive visual security indicators to achieve product/market fit is another stupid idea. It's good for CAs profit margins. It's bad for users as it will totally confuse them. Even if we did go down this stupid path, how many times would browsers need to change the visual security indicators to suit the CAs product?

[PW] Now we’re getting to it. You’re showing your true colors. Try to separate CAs from the browser-based UI/UX for security. CAs and EV is just one implementation of website identity in my opinion. “Website identity” is much bigger than CAs/EV. That’s why I don’t use the term “EV” much - it draws out hate from the CA-haters who aren’t able to see beyond their hate.

Personally, I’m aiming for a fully decentralized world for the decision making process around URL classification - using a token curated registry. But that’s the endgame. Furthermore, MetaCert has verified more domains than the total number of EV certs globally - for FREE. I digress and would rather not mention my company name - but I must, if I’m to prove you wrong or show how you are biased.

In other news, it is ok for some companies to generate revenue from things that can add value to some people’s lives. Do you like getting free services and becoming the product? Do you like how some browsers are creepy by tracking your every move so they can see advertising?

I previously gave an example of how identity can be done for every .GOV domain given that it’s a highly regulated TLD. There are other gTLDs and ccTLDs that are regulated - they wouldn’t need third-party validation. If there was an indicator that told you when you were really on a .GOV site and not a deceptive site, I’d say that was value add.

Feel free to suggest ideas on how to fix things instead of calling my ideas as “stupid" - removing stuff and sticking your head in the sand screaming “EV is broken” doesn’t help.

>
>
>> the inconsistencies of extended validation style visual security indicator between browsers d) users can't tell who is real or not based on extended validation style visual security indicators as company names sometimes don't match the actual site name.
>
> I agree. This is why they should have been improved instead of removed. Mozilla will likely iterated the UI/UX around tracking to improve adoption.
>
> Above. Stupid idea.

[PW] You have’t said anything that would make me think I should listen to your assertion about my idea being stupid. I’ve provided a massive number of data points from which I draw conclusions. Instead of slamming the conclusion try to address anything that led me to those conclusions or explain why you think they are wrong.

>
>
> Ian, like every other commentator I’ve read on this subject, say things that I agree with. But their conclusions and proposals are completely flawed in my opinion. As I’ve said before, you don’t just remove something that doesn’t see major adoption - you iterate/test. You’d only remove UI if you know for sure that it can’t be improved - there’s no data to suggest that any research was done around this. Mozilla have only supplied links to research that’s flawed and so old it’s useless. I’m blown away by their referencing research from more than 10 years ago. Some amazing people on this list weren’t even working with web tech back then.
>
> Extended validation isn't a new concept and it has been proven it has failed.

[PW] If you read any of my previous messages you’d know that I’m pretty familiar with EV. Browsers who didn’t implement identity UI/UX properly are the ones who should be addressed - they’re the ones who are responsible for displaying it.

- Paul

>
>
>
>>
>> [1] https://www.typewritten.net/writer/ev-phishing <https://www.typewritten.net/writer/ev-phishing>
>> [2] https://stripe.ian.sh <https://stripe.ian.sh/>
>>
>

> [PW] [1] https://imgur.com/Va4heuo <https://imgur.com/Va4heuo>

>
> - Paul
>
>
>
>
>> The original proposal that led to EV was actually to validate the company logos and present them as logotype.
>> There was a ballot proposed here to bar any attempt to even experiment with logotype. This was withdrawn after I pointed out to Mozilla staff that there was an obvious anti-Trust concern in using the threat of withdrawing roots from a browser with 5% market share to suppress deployment of any feature.
>>
>> Now for the record, that is what a threat looks like: we will destroy your company if you do not comply with our demands. Asking to contact the Mozilla or Google lawyers because they really need to know what one of their employees is doing is not.
>>
>> Again, the brief here is to provide security signals that allow the user to protect themselves.
>>
>> --

>> Website: http://hallambaker.com/ <http://hallambaker.com/>
>

[Wayne Thayer]

Hi Paul,

On Mon, Oct 28, 2019 at 2:41 PM Paul Walsh via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:


> [PW] So you dislike Mozilla’s implementation for the tracker icon in the
> address bar? When you update to 70.0 you’re prompted with an
> educational-type pop-out to draw your attention to the visual indicator. Do
> you think that’s a bad idea? Do you think users should just know how to use
> browser software?
>
>

This repeated comparison of the EV indicator to the privacy shield is
apples to orangutans. The security and privacy of a Firefox user doesn't
depend on them interacting with the privacy shield. If a user never notices
the privacy shield, that user will be as secure as one who examines it on
every page load. It follows that there is no need for users to be properly
trained to interact with the privacy shield to protect themselves. This
gets to the root of the problem with the EV UI as a positive security
indicator.

- Wayne

[Paul Walsh]

> On Oct 28, 2019, at 3:39 PM, Wayne Thayer <wth...@mozilla.com> wrote:
>
> Hi Paul,
>

> On Mon, Oct 28, 2019 at 2:41 PM Paul Walsh via dev-security-policy <dev-secur...@lists.mozilla.org <mailto:dev-secur...@lists.mozilla.org>> wrote:
>
> [PW] So you dislike Mozilla’s implementation for the tracker icon in the address bar? When you update to 70.0 you’re prompted with an educational-type pop-out to draw your attention to the visual indicator. Do you think that’s a bad idea? Do you think users should just know how to use browser software?
>
>
> This repeated comparison of the EV indicator to the privacy shield is apples to orangutans. The security and privacy of a Firefox user doesn't depend on them interacting with the privacy shield. If a user never notices the privacy shield, that user will be as secure as one who examines it on every page load. It follows that there is no need for users to be properly trained to interact with the privacy shield to protect themselves. This gets to the root of the problem with the EV UI as a positive security indicator.

[PW] Good point in regards to the fact that users are better protected even if they’re not aware of it.

If you believe the visual indicator has little or no value why did you add it?

Also, Mozilla has not conducted, or referenced recent research to prove that well designed UI can't work. Only that previous implementations didn’t work. There’s no need to do that as we are on in agreement on this point.

- Paul


>
> - Wayne

[Nick Lamb]

On Mon, 28 Oct 2019 16:19:30 -0700
Paul Walsh via dev-security-policy

<dev-secur...@lists.mozilla.org> wrote:
> If you believe the visual indicator has little or no value why did
> you add it?

The EV indication dates back to the creation of Extended Validation,
and so the CA/Browser forum, which is well over a decade ago now.

But it inherits its nature as a positive indicator from the SSL
padlock, which dates back to the mid-1990s when Netscape developed SSL.
At the time there was not yet a clear understanding that negative
indicators were the Right Thing™, and because Tim's toy hypermedia
system didn't have much security built in there was a lot of work to
do to get from there to here.

Plenty of other bad ideas date back to the 1990s, such as PGP's "Web of
Trust". I doubt that Wayne can or should answer for bad ideas just
because he's now working on good ideas.

Nick.

[Paul Walsh]

Hi Nick,

[PW] I agree with your conclusion. But you’re commenting on the wrong thing. You snipped my message so much that my comment above is without context. You snipped it in a way that a reader will think I’m asking about the old visual indicators for identity - I’m not. I asked Wayne if he thinks the new Firefox visual indicator for tracking is unnecessary.

I don’t want to labour my points any more. Those who disagree and took the time to comment, aren’t willing to exchange meaningful, constructive, respectful counter arguments. Those who disagree but aren’t commenting, may or may not care at all. And those who agree mostly show their support in private. I feel like this conversation is sucking up all the oxygen as a result.

If we are all doing such a great job, attacks wouldn’t be on the rise and phishing wouldn’t be the number 1 problem. And we all know phishing is where a user falls for a deceptive website.

One last time, here’s the article I wrote with many data points https://casecurity.org/2019/10/10/the-insecure-elephant-in-the-room/ <https://casecurity.org/2019/10/10/the-insecure-elephant-in-the-room/>

I’m going to edit this article for Hackernoon, to include additional context about my support *for*encryption, https, padlock and free DV certs. I support them all, obviously. But some people assume I don’t support these critical elements because I pointed out the negative impact that their implementation is having.

Thanks,
- Paul

>
> Nick.

[James Burton]

Hi Paul,

I take the view that the articles on the CA Security Council website are a
form of marketing gimmick with no value whatsoever.

Thank you

Burton

On Tue, Oct 29, 2019 at 5:55 PM Paul Walsh via dev-security-policy <

[Paul Walsh]

> On Oct 29, 2019, at 11:17 AM, James Burton <j...@0.me.uk> wrote:
>
> Hi Paul,
>
> I take the view that the articles on the CA Security Council website are a form of marketing gimmick with no value whatsoever.

[PW] More useless feedback that only serves to insult someone trying their best to add value. As I’ve said *over and over again*, if browser vendors did what I recommended in the article, my own company's flagship product would be rendered useless. If you call that “a form of marketing gimmick" you should probably avoid going into marketing.

Every data point was taken from a competitor with links to their work. If you disagree with my conclusions, say so. But throwing insults is hardly adding value, is it?

- Paul

>
> Thank you
>
> Burton

>
> On Tue, Oct 29, 2019 at 5:55 PM Paul Walsh via dev-security-policy <dev-secur...@lists.mozilla.org <mailto:dev-secur...@lists.mozilla.org>> wrote:
> Hi Nick,
>

> > On Oct 29, 2019, at 7:07 AM, Nick Lamb <n...@tlrmx.org <mailto:n...@tlrmx.org>> wrote:
> >
> > On Mon, 28 Oct 2019 16:19:30 -0700
> > Paul Walsh via dev-security-policy

> > <dev-secur...@lists.mozilla.org <mailto:dev-secur...@lists.mozilla.org>> wrote:
> >> If you believe the visual indicator has little or no value why did
> >> you add it?
> >
> > The EV indication dates back to the creation of Extended Validation,
> > and so the CA/Browser forum, which is well over a decade ago now.
> >
> > But it inherits its nature as a positive indicator from the SSL
> > padlock, which dates back to the mid-1990s when Netscape developed SSL.
> > At the time there was not yet a clear understanding that negative
> > indicators were the Right Thing™, and because Tim's toy hypermedia
> > system didn't have much security built in there was a lot of work to
> > do to get from there to here.
> >
> > Plenty of other bad ideas date back to the 1990s, such as PGP's "Web of
> > Trust". I doubt that Wayne can or should answer for bad ideas just
> > because he's now working on good ideas.
>
> [PW] I agree with your conclusion. But you’re commenting on the wrong thing. You snipped my message so much that my comment above is without context. You snipped it in a way that a reader will think I’m asking about the old visual indicators for identity - I’m not. I asked Wayne if he thinks the new Firefox visual indicator for tracking is unnecessary.
>
> I don’t want to labour my points any more. Those who disagree and took the time to comment, aren’t willing to exchange meaningful, constructive, respectful counter arguments. Those who disagree but aren’t commenting, may or may not care at all. And those who agree mostly show their support in private. I feel like this conversation is sucking up all the oxygen as a result.
>
> If we are all doing such a great job, attacks wouldn’t be on the rise and phishing wouldn’t be the number 1 problem. And we all know phishing is where a user falls for a deceptive website.
>

> One last time, here’s the article I wrote with many data points https://casecurity.org/2019/10/10/the-insecure-elephant-in-the-room/ <https://casecurity.org/2019/10/10/the-insecure-elephant-in-the-room/> <https://casecurity.org/2019/10/10/the-insecure-elephant-in-the-room/ <https://casecurity.org/2019/10/10/the-insecure-elephant-in-the-room/>>

>
> I’m going to edit this article for Hackernoon, to include additional context about my support *for*encryption, https, padlock and free DV certs. I support them all, obviously. But some people assume I don’t support these critical elements because I pointed out the negative impact that their implementation is having.
>
> Thanks,
> - Paul
>
> >
> > Nick.
>

> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org <mailto:dev-secur...@lists.mozilla.org>
> https://lists.mozilla.org/listinfo/dev-security-policy <https://lists.mozilla.org/listinfo/dev-security-policy>

[James Burton]

On Tue, Oct 29, 2019 at 6:29 PM Paul Walsh <pa...@metacert.com> wrote:

>
> On Oct 29, 2019, at 11:17 AM, James Burton <j...@0.me.uk> wrote:
>
> Hi Paul,
>
> I take the view that the articles on the CA Security Council website are a
> form of marketing gimmick with no value whatsoever.
>
>
> [PW] More useless feedback that only serves to insult someone trying their
> best to add value. As I’ve said *over and over again*, if browser vendors
> did what I recommended in the article, my own company's flagship product

> would be *rendered useless*. If you call that “a form of marketing

> gimmick" you should probably avoid going into marketing.
>

When I read the CA Security Council website around the two year mark, I
found the content more directed toward the marketing end to help CAs
promote expensive products such as extended validation certificates. My
opinion on the matter hasn't changed. This isn't throwing insults at each
other, it's about improving web security and directing people to the wrong
conclusions which the CA Security Council has done is bad for the
improvement of web security.

> Every data point was taken from a competitor with links to their work. If
> you disagree with my conclusions, say so. But throwing insults is hardly
> adding value, is it?
>

> - Paul
>
>
> Thank you
>
> Burton
>
> On Tue, Oct 29, 2019 at 5:55 PM Paul Walsh via dev-security-policy <

> dev-secur...@lists.mozilla.org> wrote:
>
>> Hi Nick,

>>
>> > On Oct 29, 2019, at 7:07 AM, Nick Lamb <n...@tlrmx.org> wrote:
>> >
>> > On Mon, 28 Oct 2019 16:19:30 -0700
>> > Paul Walsh via dev-security-policy

>> I’m going to edit this article for Hackernoon, to include additional
>> context about my support *for*encryption, https, padlock and free DV certs.
>> I support them all, obviously. But some people assume I don’t support these
>> critical elements because I pointed out the negative impact that their
>> implementation is having.
>>
>> Thanks,
>> - Paul
>>
>> >
>> > Nick.
>>

[James Burton]

Correction:

This isn't throwing insults at each other, it's about improving web

security and not directing people to the wrong conclusions which the CA
Security Council has done which is bad for the improvement of web security.

Thank you

Burton

[Paul Walsh]

> On Oct 29, 2019, at 11:56 AM, James Burton <j...@0.me.uk> wrote:
>
>
>
> On Tue, Oct 29, 2019 at 6:29 PM Paul Walsh <pa...@metacert.com <mailto:pa...@metacert.com>> wrote:

>
>> On Oct 29, 2019, at 11:17 AM, James Burton <j...@0.me.uk <mailto:j...@0.me.uk>> wrote:
>>
>> Hi Paul,
>>
>> I take the view that the articles on the CA Security Council website are a form of marketing gimmick with no value whatsoever.
>

> [PW] More useless feedback that only serves to insult someone trying their best to add value. As I’ve said *over and over again*, if browser vendors did what I recommended in the article, my own company's flagship product would be rendered useless. If you call that “a form of marketing gimmick" you should probably avoid going into marketing.

>
> When I read the CA Security Council website around the two year mark, I found the content more directed toward the marketing end to help CAs promote expensive products such as extended validation certificates. My opinion on the matter hasn't changed. This isn't throwing insults at each other, it's about improving web security and directing people to the wrong conclusions which the CA Security Council has done is bad for the improvement of web security.

[PW] I think EV is expensive, time consuming and complicated. I think some CAs were, and continue to be overzealous in their marketing efforts by over selling the benefits of EV from a browser UI perspective. I also think the verification process can now be further improved with new blockchain-based KYC tech/processes.

Some CAs are better than others - just like companies in every sector. I hope you and others will see that I’m completely unbiased in my personal opinions. I sit in the middle. And I hope people will find the time and energy to read my words and not read in between the lines.

I have nothing against CAs making a lot of money when they add value. And I think they can add massive value - but that value can only be derived by browsers and other software applications that make use of their certs in a more meaningful way in the future. We should be questioning browser vendors here, not CAs. CAs are doing their bit for identity.

I’ve had many conversations with CAs over the past few months and their hearts are in the right place. They are trying just like the rest of us, to add value to society while generating revenue. Nothing is free. Either you pay for a product or you are the product. We all know this.

Firefox still uses Google as the default search engine even though Google is the least privacy-respecting search engine in the eyes of many. If Mozilla could build a sustainable model that didn’t involve revenue from Google it would probably consider using duckduckgo.com as it’s primary search engine.

Thanks for taking the time to say what you really think so we can get to the heart of the problem. Perceptions are important. Let’s try to look beyond the perceptions. I don’t trust Google’s motives, but I will take the time to read what they say and question specifics, rather than tarnish them with a brush.

- Paul

>
>
> Every data point was taken from a competitor with links to their work. If you disagree with my conclusions, say so. But throwing insults is hardly adding value, is it?
>
> - Paul
>
>>
>> Thank you
>>
>> Burton
>>

>> On Tue, Oct 29, 2019 at 5:55 PM Paul Walsh via dev-security-policy <dev-secur...@lists.mozilla.org <mailto:dev-secur...@lists.mozilla.org>> wrote:
>> Hi Nick,
>>

>> > On Oct 29, 2019, at 7:07 AM, Nick Lamb <n...@tlrmx.org <mailto:n...@tlrmx.org>> wrote:
>> >
>> > On Mon, 28 Oct 2019 16:19:30 -0700
>> > Paul Walsh via dev-security-policy

>> > <dev-secur...@lists.mozilla.org <mailto:dev-secur...@lists.mozilla.org>> wrote:
>> >> If you believe the visual indicator has little or no value why did
>> >> you add it?
>> >
>> > The EV indication dates back to the creation of Extended Validation,
>> > and so the CA/Browser forum, which is well over a decade ago now.
>> >
>> > But it inherits its nature as a positive indicator from the SSL
>> > padlock, which dates back to the mid-1990s when Netscape developed SSL.
>> > At the time there was not yet a clear understanding that negative
>> > indicators were the Right Thing™, and because Tim's toy hypermedia
>> > system didn't have much security built in there was a lot of work to
>> > do to get from there to here.
>> >
>> > Plenty of other bad ideas date back to the 1990s, such as PGP's "Web of
>> > Trust". I doubt that Wayne can or should answer for bad ideas just
>> > because he's now working on good ideas.
>>
>> [PW] I agree with your conclusion. But you’re commenting on the wrong thing. You snipped my message so much that my comment above is without context. You snipped it in a way that a reader will think I’m asking about the old visual indicators for identity - I’m not. I asked Wayne if he thinks the new Firefox visual indicator for tracking is unnecessary.
>>
>> I don’t want to labour my points any more. Those who disagree and took the time to comment, aren’t willing to exchange meaningful, constructive, respectful counter arguments. Those who disagree but aren’t commenting, may or may not care at all. And those who agree mostly show their support in private. I feel like this conversation is sucking up all the oxygen as a result.
>>
>> If we are all doing such a great job, attacks wouldn’t be on the rise and phishing wouldn’t be the number 1 problem. And we all know phishing is where a user falls for a deceptive website.
>>

>> One last time, here’s the article I wrote with many data points https://casecurity.org/2019/10/10/the-insecure-elephant-in-the-room/ <https://casecurity.org/2019/10/10/the-insecure-elephant-in-the-room/> <https://casecurity.org/2019/10/10/the-insecure-elephant-in-the-room/ <https://casecurity.org/2019/10/10/the-insecure-elephant-in-the-room/>>

>>
>> I’m going to edit this article for Hackernoon, to include additional context about my support *for*encryption, https, padlock and free DV certs. I support them all, obviously. But some people assume I don’t support these critical elements because I pointed out the negative impact that their implementation is having.
>>
>> Thanks,
>> - Paul
>>
>> >
>> > Nick.
>>

>> _______________________________________________
>> dev-security-policy mailing list

[Paul Walsh]

> On Oct 29, 2019, at 12:03 PM, James Burton <j...@0.me.uk> wrote:
>
> Correction:
>
> This isn't throwing insults at each other, it's about improving web security and not directing people to the wrong conclusions which the CA Security Council has done which is bad for the improvement of web security.

[PW] Allow me to add something too :)

If browser vendors implemented website identity UI/UX in a meaningful way, making it easy for consumers to understand and use, I put forward that phishing attacks would take a nose dive. All the data points in my article bring me to this conclusion. In future I hope people can debate people’s conclusions with new/better data points.

This would lead to everyone seeing massive value from CAs. It’s a very strange situation. I don’t see anyone complaining about browser vendors removing UI without trying to improve it.

EV would then become an attack vector imo, so that would need to be tightened. Right now they’re using Let’s Encrypt free DV certs because of the wrong impression given by old and now, new browser UI. “Not secure” is going to make things better for privacy BUT much worse for safety.

- Paul


>
> Thank you
>
> Burton
>

> On Tue, Oct 29, 2019 at 6:56 PM James Burton <j...@0.me.uk <mailto:j...@0.me.uk>> wrote:
>
>
> On Tue, Oct 29, 2019 at 6:29 PM Paul Walsh <pa...@metacert.com <mailto:pa...@metacert.com>> wrote:
>
>> On Oct 29, 2019, at 11:17 AM, James Burton <j...@0.me.uk <mailto:j...@0.me.uk>> wrote:
>>
>> Hi Paul,
>>
>> I take the view that the articles on the CA Security Council website are a form of marketing gimmick with no value whatsoever.
>
> [PW] More useless feedback that only serves to insult someone trying their best to add value. As I’ve said *over and over again*, if browser vendors did what I recommended in the article, my own company's flagship product would be rendered useless. If you call that “a form of marketing gimmick" you should probably avoid going into marketing.
>
> When I read the CA Security Council website around the two year mark, I found the content more directed toward the marketing end to help CAs promote expensive products such as extended validation certificates. My opinion on the matter hasn't changed. This isn't throwing insults at each other, it's about improving web security and directing people to the wrong conclusions which the CA Security Council has done is bad for the improvement of web security.
>
>

>> _______________________________________________
>> dev-security-policy mailing list

[Nick Lamb]

On Tue, 29 Oct 2019 10:54:18 -0700
Paul Walsh via dev-security-policy

<dev-secur...@lists.mozilla.org> wrote:
> [PW] I agree with your conclusion. But you’re commenting on the wrong
> thing. You snipped my message so much that my comment above is
> without context. You snipped it in a way that a reader will think I’m
> asking about the old visual indicators for identity - I’m not. I
> asked Wayne if he thinks the new Firefox visual indicator for
> tracking is unnecessary.

I see, with this explanation your post makes more sense but now seems
dreadfully off-topic.

Firefox added positive visual indicators for a variety of things in
recent years, such as audio playback, webcam and location, but those
would seem equally irrelevant to a discussion about the EV
indication.

Nick.