Author Topic: Browsers showing positive indicators for DV certs causes Consumer Harm  (Read 2126 times)

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14623
    • Video Blog
Re: Browsers showing positive indicators for DV certs causes Consumer Harm
« Reply #15 on: September 11, 2017, 08:44:03 PM »
The driver can sometimes drive several kilometres without seeing a single traffic light of any colour. Or wait, since there is no green light, according your reasoning, no driving? I think the nearest traffic light is 1½ km from where I live. Should I expect lots of new traffic lights, so at least one is always in sight?

Your logic is flawed, because now you are bringing into equation aspect of having no traffic lights. This is merely an investment optimization that is applicable to physical world, not internet as there is no cost to either showing red or green.... Either presence of red will stop....or lack of green will stop (which means presences of green is good)....both do the same thing.

Offline JoWa

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5279
  • I believe in doubt.
    • Evolutionary history of life
Re: Browsers showing positive indicators for DV certs causes Consumer Harm
« Reply #16 on: September 12, 2017, 03:08:53 AM »
So the driver can drive without seeing a lit green traffic light? Good. That means that what the driver really needs to look for are unlit green traffic lights. A bit distracting to the driver, isn’t it? And it’s very hard to see an unlit anything in the dark. Oops! I think it’s better that we return to the digital world.

“both do the same thing”

Do they? I attached four indicators (1, 2, 3, 4). Currently about sixty percent of the connections browsers make are secure (indicator 1), and consequently, about forty percent are insecure, for which most browsers show a neutral indicator (2). While a green (positive) indicator for secure connections is not very controversial, it is debatable how useful it is. More controversial is the neutral indicator (= your unlit green traffic light) for insecure connection. Is a neutral indicator (2) a clear signal of anything? Is even (3), saying “Not secure” in a neutral colour, a very clear signal? Or is (4) (= my lit red traffic light), needed, to tell users that the connection is not secure?

Test that on a random selection of users. I doubt a neutral indicator will make any user leave the site, or even hesitate to stay on it. Hopefully at least some users will hesitate to log in, or register, but probably you will find that (3), what Chrome and Firefox currently do, or even (4) is needed there.

When even more connections are secure, maybe (3) can be used for insecure connections, and (4) for insecure connections to a pages for logging in, registering etc.

And again, I think it makes less sense to tell/encourage people to do what they intend to do, because they will do it (visit a website or drive from one place to another) anyway. What you need to tell people is that they for some reason need to do something they did not intend, like not visit a site, or not submit information to it.

Also, protections like Safe Browsing use negative alerts. If you try to go to a site that is known to be fraudulent or malicious, a red warning is shown in the entire browser window. Does it not make sense to use only one type of colour signals, rather than sometimes use neutral for insecurity/danger and sometimes red?
Ubuntu 17.10 | Chrome 63β | HTTPS Everywhere | Privacy Badger
Forum Policy | Comodo Product Help

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14623
    • Video Blog
Re: Browsers showing positive indicators for DV certs causes Consumer Harm
« Reply #17 on: September 12, 2017, 08:34:01 AM »
lol..now you are talking about usability of these.....

I just passed thru cross junction...was I supposed to ? did i miss a red light because they are too far in between, i stopped "expecting" them?

Do you expect the "road" to look like "road" when you are on it? what if it changes all of a sudden...will you notice?

Now you are moving into twilight zone with your argument....

Not to mention in security sometimes its more secure and practical to provide Positive indicators....like in real life we issue passport....you have to "positively" show your passport to get into the country....etc...

You have a very flawed argument and naive approach to security thinking everything can be done using negative indicators.

Offline JoWa

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5279
  • I believe in doubt.
    • Evolutionary history of life
Re: Browsers showing positive indicators for DV certs causes Consumer Harm
« Reply #18 on: September 12, 2017, 11:00:16 AM »
Test it! Then you will know what is flawed and what works. If you think you can find the best possible solution without testing, I think we can talk about a naive approach.
Ubuntu 17.10 | Chrome 63β | HTTPS Everywhere | Privacy Badger
Forum Policy | Comodo Product Help

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14623
    • Video Blog
Re: Browsers showing positive indicators for DV certs causes Consumer Harm
« Reply #19 on: September 12, 2017, 01:29:50 PM »
Test it! Then you will know what is flawed and what works. If you think you can find the best possible solution without testing, I think we can talk about a naive approach.

Please help me test the following use case:
I want to use a negative indicator (not positive)

A country that want to check who are legitimately entitled to enter their country.

:)

Offline JoWa

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5279
  • I believe in doubt.
    • Evolutionary history of life
Re: Browsers showing positive indicators for DV certs causes Consumer Harm
« Reply #20 on: September 13, 2017, 12:02:47 AM »
What does that have to do with anything?

I think you are just avoiding the question, about testing what indicators in a browser that are the most (and least) helpful to users.

As a browser vendor, I expect you to welcome research that helps you design your browser in such a way that it help as many users as possible to make the best security decisions in every situation. If you find the available research unreliable, do your own tests, and publish the report, with method and results and all (trust through transparency).

As a CA, on the other hand, I understand that you welcome some results more than others. CAs, of course, want their products, the certificates, to be as visible as possible in the browser. Not least EV, the currently most visible (and expensive) type of certificate. If the indicator goes away, it will be very hard to sell EV-certificates.
Ubuntu 17.10 | Chrome 63β | HTTPS Everywhere | Privacy Badger
Forum Policy | Comodo Product Help

Offline SSL Guru

  • Comodo's Hero
  • *****
  • Posts: 320
  • Retired Comodo Global Support Manager
    • Dağcılar Sitesi
“You have to be odd to be number one”
Dr. Seuss

Offline Ploget

  • Comodo's Hero
  • *****
  • Posts: 346
  • 'Your best teacher, is your last mistake'
    • Traditional Protection
Ploget
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
'If you think you are too small to make a difference; try sleeping with a Mosquito'

Online Dolphin66

  • Comodo's Hero
  • *****
  • Posts: 416
Re: Browsers showing positive indicators for DV certs causes Consumer Harm
« Reply #23 on: September 13, 2017, 07:47:56 AM »
Hi Melih,

Heard this yesterday on the Security Now podcast from TWIT.tv -
Quote
Comodo Caught Breaking New CAA Standard One Day After It Went Into Effect

https://www.grc.com/sn/SN-628-Notes.pdf Page 8 - Not good news or PR  :-[
Desktop:- Windows 10 64bit Pro ¦¦ CIS 10.0.1.6294 ¦¦ CBU 4.4.1.23        Laptop:- Windows 10 64bit Home ¦¦ CIS 10.0.1.6294 ¦¦ CBU 4.4.1.23      Tablet:- ACER W4-820:- Windows 10 32bit Home ¦¦ CCAV 1.13.424807.562

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14623
    • Video Blog
Re: Browsers showing positive indicators for DV certs causes Consumer Harm
« Reply #24 on: September 13, 2017, 10:00:59 AM »
Hi Melih,

Heard this yesterday on the Security Now podcast from TWIT.tv -
https://www.grc.com/sn/SN-628-Notes.pdf Page 8 - Not good news or PR  :-[

Yep.. all the details are in the response. We created the CAA standard and we broke it first. Not good! But our guys reacted very quickly. There are also other good things hopefully that will come out of this like a new automated testing platform...because it was so new it was difficult to test CAA, as well as ways to report stuff back to CAs..at the moment its difficult....so lets turn lemon into lemonade by learning from this and improving the overall security posture for the whole industry. A big thank you for the guys who keep a watchful eye on all this and alert us!

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek