<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:宋体;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@宋体";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-family:"Calibri",sans-serif;color:#1F497D'>This discussion passed one week that the browsers are very tough. <o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri",sans-serif;color:#1F497D'>I suggest to stop the war of words since this can’t solve anything.<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri",sans-serif;color:#1F497D'>Chinese has an idiom “</span><span lang=ZH-CN style='font-family:宋体;color:#1F497D'>求人不如求己</span><span style='font-family:"Calibri",sans-serif;color:#1F497D'>”( Better to rely on yourself than ask help from others), I think this is why Comodo is doing its own browser.<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Best Regards,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Richard<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org] <b>On Behalf Of </b>Ryan Sleevi<br><b>Sent:</b> Tuesday, November 11, 2014 9:25 AM<br><b>To:</b> Dean Coclin<br><b>Cc:</b> CABFPub<br><b>Subject:</b> Re: [cabfpub] DV/OV UI<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Mon, Nov 10, 2014 at 2:19 PM, Dean Coclin <<a href="mailto:Dean_Coclin@symantec.com" target="_blank">Dean_Coclin@symantec.com</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt'><p class=MsoNormal>Gerv wrote:<br>"Can an attacker get an OV certificate with a bogus O field? However hard<br>you think that is, it's certainly easier to do that for OV than for EV."<br><br>And it's much, much easier for an attacker to get a DV certificate.<br><br>Here are some statistics:<br><br>1. Roughly 1/3 of e-commerce websites use DV certificates<br>2. DV certificates are more likely to be used by cybercriminals for<br>e-commerce fraud (see #4)<br>3. 25,000 suspected phishing sites were using SSL in the year leading up to<br>March 2014<br>4. I asked Netcraft to provide me with some data related to this and<br>although I'm not allowed to release the report (due to contractual<br>agreements with Netcraft), I was able to get this statement released: "A<br>recent Netcraft study showed that 78% of SSL certificates found on servers<br>hosting fraudulent websites were Domain Validated. While the majority were<br>not obtained exclusively for phishing, those with misleading domains were<br>subject only to domain validation."<br><br>As Eddy noted, there are many appropriate uses for DV certificates and in no<br>way do I want to diminish or degrade that experience for those use cases.<br>E-Commerce however is another story and given the fraud stats above, the<br>risks presented by DV certs in e-commerce are significant. I applaud Eddy<br>for refusing to provide DV for e-commerce websites.<br><br>Since people are throwing around studies claiming that users don't look at<br>security warnings, I'll counter with this one:<br><a href="http://people.scs.carleton.ca/~paulv/papers/ccsw09.pdf">http://people.scs.carleton.ca/~paulv/papers/ccsw09.pdf</a><br>It's an interesting but very technical read. The summary, which is talking<br>about an alternative cert UI, says:<br>"The alternative (UI) design demonstrated significant improvements over IE<br>in the following areas:<br> easier to find web site ownership information<br> easier to find and understand data safety information<br> increased confidence in data safety (when encryption<br>is present)<br> accuracy of security decisions"<br><br>>From my interpretation, users can understand (if properly presented) and<br>will take appropriate action. The mockups in the paper all show that privacy<br>is protected (encryption) but provides 3 levels of identity: Low<br>(corresponding to DV), Medium (corresponding to OV) and High (corresponding<br>to EV) as indicated by words and pictures.<br><br>Why do cybercriminals bother to get certificates at all? It's because users<br>are more informed and are becoming trained to look for the lock or https. To<br>"legitimize" their hack, cybercriminals are increasingly bothering to obtain<br>certs for these sites. And DV certs make it easy for them.<br><br>But, it's been made clear that browsers don't support additional UI features<br>for DV/OV/EV. OK, fine, let's move on from that. What about disallowing DV<br>for e-commerce sites? I recall this being discussed about 5 or so years ago<br>and from what I remember, it didn't pass because of a debate around what<br>constitutes an e-commerce site. It could be as simple as: (1) it collects<br>payment info (i.e. credit card, Paypal, etc) and (2) runs a checkout module.<br><br>Dean Coclin<o:p></o:p></p></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>As noted in the past, I don't think we really agree with your conclusions, nor are terribly interested in this proposal. Nor is it really implementable.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Cheers,<o:p></o:p></p></div><div><p class=MsoNormal>Ryan<o:p></o:p></p></div></div></div></div></div></body></html>