[cabfpub] Request for help from browser vendors

Wed Mar 11 18:38:20 UTC 2015

+1

There have been a number of major browser response changes that result in lots of calls to the issuing CA, and in many cases we aren't really sure why the browser is doing what it is doing.  It would be incredibly helpful to have this information on a timely, consistent, public way

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Rick Andrews
Sent: Wednesday, March 11, 2015 11:29 AM
To: public at cabforum.org
Subject: [cabfpub] Request for help from browser vendors

I made this request to the browser vendors in the Face-to-Face meeting today:

Browsers have been making a lot of security-related UI changes lately. Sometimes they're related to the certificate, or the certificate chain. Those are relatively easy to figure out. Browser vendors have indicated that they will also degrade security UI based on connection-related properties like negotiated ciphersuite or session key size. Those will be more difficult to figure out.

Some browsers may begin degrading UI based on properties related not just to the main connection (that retrieves the requested page) but to all the other connections that retrieve subordinate resources (like scripts, images, etc.). I'm concerned that it will be extremely difficult for the end user to figure out that out of the many connections needed to build a page, one single connection to fetch an ad or to include some web analytics violated some requirement and caused the EV treatment to disappear, for example.

In many such cases, customers turn to the CA for support, and and we're finding it increasingly difficult to determine why a particular security-related UI is displayed. I've asked the major browser vendors to help by writing some relevant information to their debug log. It's fine if the CA or the customer needs to run the browser in debug mode, or launch the Web or Developer Console, as long as we're able to drill down and find something like "EV treatment removed for site [s] because [x] happened on connection to [y]", or "Security warning shown because SHA-1 present in cert chain".

If the browser vendors reply to the public list with detailed instructions, I'll collect all the info on the CAB Forum wiki. Thanks,

-Rick

<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150311/697f25de/attachment-0003.html>