-
Notifications
You must be signed in to change notification settings - Fork 974
Prominently show validated legal identity & jurisdiction to users #791
Comments
Thanks for filing this ticket and also checking in with Adrienne from Chrome. Here is one counterargument to showing EV:
Could showing EV status prominently in the browser have helped Alice in the latter case? Not really, because Venmo.com doesn't use EV. A large number of legitimate sites that accept "sensitive" information like credit cards and passwords don't use EV. Yahoo (according to my experience working on their security team) and Google (according to https://security.stackexchange.com/questions/52387/does-google-use-extended-validation-certificates) are just two large examples. So I posit that EV user interface signals are helpful for preventing phishing attacks in exactly the case where:
Better user interface than presented in the Jackson study can help with (2). I'm not sure it can help with (1). We are a small team and too overloaded currently to do an EV user study. The best we can do before 1.0 is piggyback off other browsers who've experimented with EV UI. In the absence of studies showing that prominent EV UI helps a non-trivial percentage of users against actual attacks, I am going to mark this low-priority. |
Hi Mike - |
Hey @jlemming41! Yan already knows me, but to be clear, it's Mike from CertSimple here. |
Venmo, like Stripe or Paypal or other mobile wallets, should have a cert with a background checked organisation. I'm not sure it's wise to reduce indicators for all sites, eg not show identity indicators for PayPal or Stripe, because Venmo's certificate does not include them. I get and understand your concern re: 1. On day 0 of a user's interaction with a particular website there's no way to know that a particular site should show an Totally understood re: a small team, and not having any information on current browsers UI effectiveness making it difficult. Going to reach out to Edge - maybe you can do the same for FF since I imagine you're closer? Will email you some more details off-list - some other folk we both know are interested in EV too. It's also worth considering, as the main purpose of the browser security UI is to show the user where they're connected to, whether erring on the side of providing the user with more information is preferable. |
A cluttered UI can certainly have negative effects, but in this case it seems like following the established behavior of other browsers has little downside.
I certainly see Yan's concern regarding EV UI's inability to help a user with step (1). I would think a majority of users are not confident that sites they visit have EVs or if they use other types of SSL. However, for users that are confident, the EV UI is a quick and easy way for them to make a decision on a situation that occurs frequently. I think there are enough users out there frequently (multiple times a day) visiting Paypal.com, Discover.com, or any other number of sites handling highly-sensitive information who fulfill both conditions Yan outlined that would be inconvenienced if the EV-specific UI was removed. Since transparency concerns were brought up above, I will also state that I am employed by a company that sells EV SSL, however we also sell DV and OV SSL. |
Here are a few questions I'm interested in for an EV user study, if anyone is up for conducting one:
|
I hate floating an undemocratic idea here but this problem is trivial to solve for 99% of the cases and very hard for the long tail. Most sensitive traffic goes to a few sites. Hand audit and approve certs for eBay, PayPal, amazon.com etc, and give a powerful UI hint. Allow community to contribute to the list and publish it. I think that brings a lot more happiness than EV. |
If a decision is made to show EV certs as green, there is an SVG icon available: Proposed spec (if decision is made to handle EV differently): |
Whatever we choose, we should consider being consistent with the iOS version. I noticed that in the iPhone app, a green icon there for a regular SSL site (non-EV) |
This is an excellent suggestion. We could come up with an standard for hand auditing, to be consistent. And then we could audit the implementation of those background checks. Then we could create an x509 field in the cert to indicate that someone has verified that this legal entity controls this public key. Then we could make it available to anyone who'd be willing to pay to have their identity audited, so new smaller companies could have background checks too rather than just eBay and Amazon. As a 'powerful UI hint', I propose showing the audited legal name, in a prominent part of the browser Chrome associated with identity, for example, the address bar. ?? [--- Commented from Asana.com |
You missed the point. The problem is unsolvable for the long tail. You end up with the CA shitshow we have today that is only marginally more deterministic than rolling the dice. It is very solvable for the short head of sites that make up 99% of phishing. Brave Inc. can audit the top sites (eBay, PayPal) that are targets of phishing (Brave can even see which sites are subject to it by monitoring user traffic anomalies) and then Brave should certify the cert. "Trusted by Brave" or whatever. The idea is to eliminate CAs not build CAs. The UI hint is from the browser and users will blame the browser if it's wrong. The browser vendor should stand behind it. |
I'd really like to have EV support. At least in the UK, pretty much all banks use EV on their Internet banking services, and I'm generally in the habit of glancing at the address bar when I access my bank. I realise that EV doesn't solve the general problem, but it does help with Internet banking, and IMHO that is an important enough use case. I shouldn't have to switch back to Firefox to access my bank, but at the moment dong banking in Brave makes me uncomfortable. I realise that the discomfort is not entirely rational - but when you've been in the habit for several years of checking that the bank's name appears in the adress bar then using Brave is quite disconcerting. |
@andreasgal Denying sites outside the top 500 the ability to authenticate their identity obviously sucks. There are many reasons to prove a real legal identity online that have nothing to do with phishing.
You can support web of trust concepts, but not showing existing authentication info to users is a bad idea. |
Test plan
#11776 (comment)
Hi Yan, you mentioned the issue of whether to show these details is separate, so as mentioned, I've filed a separate ticket. Thanks for giving this some thought.
Current Brave beta
Alice wants to connect to Bob, Inc.
Brave 0.7.14 looks like:
The real Bob, Inc has had background checks to match a legal entity to their public key. Thus the verified
organization
andjurisdictionOfIncorporatedCompanyName
are included inside their certificate. Other browsers show this to prominently to Alice when she connects. However, based on current Brave proposals, this is not shown to Alice in Brave unless she explicitly investigates the certificate.Malory registers www.bob.com.mg and gets a certificate. Brave 0.7.14 looks like:
Not noticing the subtle difference from Brave's normal display, Alice POSTs her banking credentials to a site that is not Bob Inc. The site that is not Bob Inc uses these credentials to steal from Alice.
A study showed IE7's security UI wasn't very good at this.
That's correct. The Jackson study showed that extended validation as implemented in IE7's security UI was not understood by users. Brave can do security UI better than IE7, which showed the DNS domain as the first thing in address bar, right aligning and contracting the verified organisation name.
Here's the browser used in Jackson. The 'Identified by Microsoft' is the truncated version of the organisation name, though in this image (taken from Jackson) the truncation makes the verified organisation name not appear to the user:
A decade later, here's the current version of the same browser. Note how prominently show the validated legal entity is shown to users:
Alice is busy and has other things to do besides look for subtle DNS differences
Alice is busy and has other things to do than spot the subtle distinction between:
and
Alice wishes to connect to the legal identity that is her bank, not a DNS domain.
Has there been independent studies on the effectiveness of EV UIs of modern browsers?
I've asked APF and unfortunately Chrome hasn't run any tests on the effectiveness of their EV UI. It could be interesting to chase the Edge and FF teams.
Proposal: prominently show validated legal identity & jurisdiction to users
Show the verified
organization
andjurisdictionOfIncorporatedCompanyName
in a way that is effective at making similar looking DNS domains where the identity has not been verified appear different to users.Or any better way that achieves the same objective - you're the security engineer, this is your show!
The text was updated successfully, but these errors were encountered: