Author Topic: Browsers showing positive indicators for DV certs causes Consumer Harm  (Read 871 times)

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14588
    • Video Blog

Offline JoWa

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5229
  • I believe in doubt.
    • Evolutionary history of life
Re: Browsers showing positive indicators for DV certs causes Consumer Harm
« Reply #1 on: September 10, 2017, 03:29:58 AM »
Quote from: Melih
You will hear people say: Yeah but end user’s don’t care about these indicators, look at the research papers …(and they will produce research papers that they paid for!)….
Is there research suggesting that average users are helped by the EV-indicator to distinguish between the intended site and a fraudulent site?
Quote from: Melih
My answer to them is: Then why have it? Remove it, your own paid research paper says no one cares, so remove it! You can’t have it both ways. You can’t say user’s don’t care but we will continue showing it to users knowing that it will cause harm to them.
That is the plan for Chrome:
Quote from: Ryan Sleevi (Google)
Thus, our focus is on introducing negative indicators that accurately reflect when there is no connection security, while also working to reduce the confusion introduced by the myriad of positive indicators by aligning to a single, neutral state.
https://cabforum.org/pipermail/public/2017-July/011671.html
A “single, neutral state” for secure connections, and negative indicators for insecure connections.
Ubuntu 17.04, 64-bit | Chrome 62β | HTTPS Everywhere | Privacy Badger
Forum Policy | Comodo Product Help

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14588
    • Video Blog
Re: Browsers showing positive indicators for DV certs causes Consumer Harm
« Reply #2 on: September 10, 2017, 11:06:15 AM »
Is there research suggesting that average users are helped by the EV-indicator to distinguish between the intended site and a fraudulent site?That is the plan for Chrome:https://cabforum.org/pipermail/public/2017-July/011671.html
A “single, neutral state” for secure connections, and negative indicators for insecure connections.

You are missing the point Jowa.

1)browsers should stop displaying a misleading indicator
2)browsers should train users to look for proper indicators

Just because they have failed by confusing users with non uniform indicators, just because they failed by not educating users about what to look for, you cannot diminish the value of visual indicators.

Visual indicators are of value, if trained properly.

You are conflating the current state of affairs...which is a mess created by showing users indicators that shouldn't be there causing consumer harm.....not training users on the proper ones they should be looking at.....you are implying that Visual indicators are meaningless. You are simply wrong.

Visual indicators are very powerful...remember Traffic lights.... remember hologram on credit cards....we just have to use them properly.....that is the issue!

Offline JoWa

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5229
  • I believe in doubt.
    • Evolutionary history of life
Re: Browsers showing positive indicators for DV certs causes Consumer Harm
« Reply #3 on: September 11, 2017, 12:05:13 AM »
Educate and train users, why does that make me think of Σίσυφος? Maybe because trying to teach people something they do not want to be taught (like boring technical stuff) is like trying to defeat gravity. It fails every time.

If a solution is not effective for billions of users, ranging from about 5 to about 105 years, maybe changing the solution is a better way than trying to change all users. And as Cormac Herley (Microsoft) argues, “users’ rejection of the security advice they receive is entirely rational”.

Traffic lights work, and they would still work if the green light were removed. The driver only needs to know it has to stop (red light, negative indicator). If there is no light, keep going.
Ubuntu 17.04, 64-bit | Chrome 62β | HTTPS Everywhere | Privacy Badger
Forum Policy | Comodo Product Help

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14588
    • Video Blog
Re: Browsers showing positive indicators for DV certs causes Consumer Harm
« Reply #4 on: September 11, 2017, 12:33:05 AM »
Traffic lights work, and they would still work if the green light were removed. The driver only needs to know it has to stop (red light, negative indicator). If there is no light, keep going.

LOL....so very flawed....

Traffic lights would still work if the red lights were removed. The driver only needs to know it can go only if the light is green!

Offline JoWa

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5229
  • I believe in doubt.
    • Evolutionary history of life
Re: Browsers showing positive indicators for DV certs causes Consumer Harm
« Reply #5 on: September 11, 2017, 02:09:45 AM »
No, because to go from one place to another is in the driver’s interest. The driver, however, is not interested in stopping until it has arrived at that other place. That is why red traffic lights are needed, to avoid accidents. Green is redundant.

Similarly, web users are interested in going to various sites. They will go to those sites with or without a green traffic light (a positive indicator). They may even go to a site with a red traffic light (negative indicator), if they learn that it doesn’t mean anything (false alarm, as the users see it).
Ubuntu 17.04, 64-bit | Chrome 62β | HTTPS Everywhere | Privacy Badger
Forum Policy | Comodo Product Help

Offline Dennis2

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 9226
Re: Browsers showing positive indicators for DV certs causes Consumer Harm
« Reply #6 on: September 11, 2017, 03:37:06 AM »
Sorry you need more than just red or only green, there is always some who will go through on a red thinking it just changed.

Firefox has recently introduced a warning when you login for sites which do not use https why?

Dennis
Moderator: Aims Forum a friendly place. Any concerns? Please PM me and/or review the Forum Policy 2012Updated.
System: Fedora 25 x64, APF, HTTPS Everywhere, ABP
Centos-6.8 x32, APF, HTTPS Everywhere, ABP

Offline JoWa

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5229
  • I believe in doubt.
    • Evolutionary history of life
Re: Browsers showing positive indicators for DV certs causes Consumer Harm
« Reply #7 on: September 11, 2017, 07:20:43 AM »
Firefox has recently introduced a warning when you login for sites which do not use https why?
And so has Chrome (56), “as part of a long-term plan to mark all HTTP sites as non-secure”.
Ubuntu 17.04, 64-bit | Chrome 62β | HTTPS Everywhere | Privacy Badger
Forum Policy | Comodo Product Help

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14588
    • Video Blog
Re: Browsers showing positive indicators for DV certs causes Consumer Harm
« Reply #8 on: September 11, 2017, 08:28:01 AM »
No, because to go from one place to another is in the driver’s interest. The driver, however, is not interested in stopping until it has arrived at that other place. That is why red traffic lights are needed, to avoid accidents. Green is redundant.

Similarly, web users are interested in going to various sites. They will go to those sites with or without a green traffic light (a positive indicator). They may even go to a site with a red traffic light (negative indicator), if they learn that it doesn’t mean anything (false alarm, as the users see it).

The driver can go from one place to another without stopping as long as he sees green light! If no green light, stop...if Green light go....

Offline Dennis2

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 9226
Re: Browsers showing positive indicators for DV certs causes Consumer Harm
« Reply #9 on: September 11, 2017, 09:32:41 AM »
And so has Chrome (56), “as part of a long-term plan to mark all HTTP sites as non-secure”.
The why, was for why do it?

All should at least should know the http is not secure, why not then educate them about which site is actually secure instead of all https are fine.

Dennis
Moderator: Aims Forum a friendly place. Any concerns? Please PM me and/or review the Forum Policy 2012Updated.
System: Fedora 25 x64, APF, HTTPS Everywhere, ABP
Centos-6.8 x32, APF, HTTPS Everywhere, ABP

Offline JoWa

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5229
  • I believe in doubt.
    • Evolutionary history of life
Re: Browsers showing positive indicators for DV certs causes Consumer Harm
« Reply #10 on: September 11, 2017, 11:11:44 AM »
The driver can go from one place to another without stopping as long as he sees green light! If no green light, stop...if Green light go....
The driver can sometimes drive several kilometres without seeing a single traffic light of any colour. Or wait, since there is no green light, according your reasoning, no driving? I think the nearest traffic light is 1½ km from where I live. Should I expect lots of new traffic lights, so at least one is always in sight?
Ubuntu 17.04, 64-bit | Chrome 62β | HTTPS Everywhere | Privacy Badger
Forum Policy | Comodo Product Help

Offline JoWa

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5229
  • I believe in doubt.
    • Evolutionary history of life
Re: Browsers showing positive indicators for DV certs causes Consumer Harm
« Reply #11 on: September 11, 2017, 11:21:48 AM »
The why, was for why do it?

All should at least should know the http is not secure, why not then educate them about which site is actually secure instead of all https are fine.
I think you, and most people here, know why. Because it is not good if users’ login credentials can be read by third parties, which is possible without TLS.

Be cautious when guessing what “all” should know.

To educate about which sites are “actually secure” you need to know which sites are actually secure. That is easier said than done.

I think users need clear and relevant warnings, and they are more about the content (malware, phishing) than the certificate. The latter does not say anything about the former.
Ubuntu 17.04, 64-bit | Chrome 62β | HTTPS Everywhere | Privacy Badger
Forum Policy | Comodo Product Help

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 23698
Re: Browsers showing positive indicators for DV certs causes Consumer Harm
« Reply #12 on: September 11, 2017, 11:50:59 AM »
And so has Chrome (56), “as part of a long-term plan to mark all HTTP sites as non-secure”.
That's such a demagogue's trick; it's a scare tactic make people believe the web (it's still mostly http) is a dangerous place. It's an abomination.

All users need to know is that look for https (either with EV or OV cert) when logging in on a website and that they can look at what the browser tells. The browser should send a positive sign of security when an OV or EV is being used.

Offline JoWa

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5229
  • I believe in doubt.
    • Evolutionary history of life
Re: Browsers showing positive indicators for DV certs causes Consumer Harm
« Reply #13 on: September 11, 2017, 01:04:22 PM »
That's such a demagogue's trick; it's a scare tactic make people believe the web (it's still mostly http) is a dangerous place. It's an abomination.
About sixty percent of the connections made with Firefox (40 % in January 2016) and Chrome are now secure. For sites where people log in, that number is probably much higher.

Edit: changed January 2014 to January 2016.
« Last Edit: September 11, 2017, 03:18:46 PM by JoWa »
Ubuntu 17.04, 64-bit | Chrome 62β | HTTPS Everywhere | Privacy Badger
Forum Policy | Comodo Product Help

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14588
    • Video Blog
Re: Browsers showing positive indicators for DV certs causes Consumer Harm
« Reply #14 on: September 11, 2017, 01:13:45 PM »
About sixty percent of the connections made with Firefox (40 % in January 2014) and Chrome are now secure. For sites where people log in, that number is probably much higher.

LE's contribution is much less than 2% of the traffic according to Mozilla telemetry (https://crt.sh/mozilla-certvalidations)...Yet it represents huge amount of the Phishing attacks...huge majority is provided by Symantec and Comodo...

 

Seo4Smf 2.0 © SmfMod.Com Smf Destek