[cabfpub] Request for help from browser vendors

[Rick Andrews]

I made this request to the browser vendors in the Face-to-Face meeting today:

Browsers have been making a lot of security-related UI changes lately. Sometimes they're related to the certificate, or the certificate chain. Those are relatively easy to figure out. Browser vendors have indicated that they will also degrade security UI based on connection-related properties like negotiated ciphersuite or session key size. Those will be more difficult to figure out.

Some browsers may begin degrading UI based on properties related not just to the main connection (that retrieves the requested page) but to all the other connections that retrieve subordinate resources (like scripts, images, etc.). I'm concerned that it will be extremely difficult for the end user to figure out that out of the many connections needed to build a page, one single connection to fetch an ad or to include some web analytics violated some requirement and caused the EV treatment to disappear, for example.

In many such cases, customers turn to the CA for support, and and we're finding it increasingly difficult to determine why a particular security-related UI is displayed. I've asked the major browser vendors to help by writing some relevant information to their debug log. It's fine if the CA or the customer needs to run the browser in debug mode, or launch the Web or Developer Console, as long as we're able to drill down and find something like "EV treatment removed for site [s] because [x] happened on connection to [y]", or "Security warning shown because SHA-1 present in cert chain".

If the browser vendors reply to the public list with detailed instructions, I'll collect all the info on the CAB Forum wiki. Thanks,

-Rick

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150311/86d34ee4/attachment-0002.html>