I have very little faith in the opinions of "browser security developers" at the moment on account of browser security being a joke. Their focus has been on technical security but lacks practical security. Yes, stripe.ian.sh exists, but have you ever seen a truly malicious use of EV?
Browser security developers concern themselves with arcane exploits of sandboxes while they don't mind nearly that every browser extension has full read/write access to everything people see and do.
EV has flaws, but it's better than literally anything else. We shouldn't be promoting HTTPS if it isn't solving this, the other problems it attempts to solve are mostly overstated problems. Because phishing is a vastly bigger threat than MITM.
EV has theoretical flaws but solves real problems, HTTPS without it has real problems and largely solves theoretical flaws.
> but have you ever seen a truly malicious use of EV?
Assuming there hasn't been, I think this just supports the idea that EV certs aren't useful: the bad guys don't even feel the need to try to use them maliciously!
Or the return isn't worth it. Malicious actors have to assume that any given domain, certificate, URL, etc. will get blocked or shut down by the security industry, so being able to cycle those endpoints is key. EV is not easy to automate/cycle, and can also be more cost prohibitive, so each cycle is less profitable as well.
That's my point: Systems that don't scale are less profitable to attempt to abuse for malicious ends, because more time and effort has to be invested into any given effort, and ideally, there are actual humans involved in the process which catch discrepancies.
The other reason you may not see a lot of attempts to find exploits in EV (apart from Ian) is that most of the actors sites want to pretend to be aren't using EV either. If you want to fake yourself as Google, EV isn't going to help you since Google doesn't use it.
I would argue the claim "bad actors aren't trying to abuse it so it isn't effective" to be silly, as that claim would apply among all methods that bad actors can't meaningfully abuse.
Frankly, I have yet to see a typical user point out EV as a problem solver. Usually, when I try to explain my work with EV to an average user, nobody knows what I'm talking about.
I would argue that's because the companies that should be using EV aren't, so users don't see EV often/enough. Google, Microsoft, etc. have no excuse to not be using, and emphasizing EV certificates. Consider how many "Microsoft support" scams would fall flat on their face if people were taught to look for the company they're dealing with was in a green box near the URL, and EV certs were shored up so that only major Fortune 500 or so companies were able to participate.
And before someone suggests that users can't be taught this, there's precedent: We've been trying to teach users not to trust that "Secure" badge/lock icon they've gotten used to. The difference is, the secure icon never represented that they were communicating with someone trustworthy, but the EV designation would.
EDIT: Also, hi Ian! stripe.ian.sh makes you a minor celebrity, and I'm honored by your presence. ;)
Its not Google's job to prop up CA vendor's business selling snake-oil certs. They don't see them as useful. There is compelling evidence that they aren't. So, Google is absolutely right not to encourage people to drop $2k+/year on Comodo for worthless certs and a "warranty" that means nothing.
But pushing snake oil certs is exactly what they've been doing by forcing people to use HTTPS to avoid scare tactic "Not Secure" warnings. HTTPS is far less helpful than something like EV that includes identity, rather than an ethereal statement that you have an encrypted connection to "someone".
The article makes a pretty compelling point that EV certs are worthless. Google and Apple seem to think that EV is worthless - that is why they are removing special treatment for them from their browsers. Many of the largest sites in the world that are the most appealing targets to phish have voted that they are worthless by not purchasing them.
> forcing people to use HTTPS to avoid scare tactic "Not Secure" warnings.
"Not Secure" is a literal description of the state of the connection. Its not secure. What should a browser say? I guess nothing because your site is so special that its users should be ok with having someone MITM the connection and inject who knows what into the page. Whether or not that is OK isn't your decision to make - its the right of your users to make that decision and saying "Not Secure" helps them. That you find that inconvenient for you is well ... inconvenient for _you_.
> HTTPS is far less helpful than something like EV that includes identity
The article makes a pretty compelling point that EV certs are worthless and do no better a job at providing security than regular certs.
I don't find the articles' arguments compelling at all, hence my statements contrary to it. Many of the arguments against EV, including in this article, are circular and depend on appeal to authority towards companies who don't like them.
When people insist EV have value, they almost always base it on some hand-wavy claims about preventing phishing. Cite to research (not to advertising claims from CAs) showing that significant numbers of users are aware of EV and use it as an indicator when deciding whether to trust a site, for example.
The problem is you won't be able to; the average web user is barely aware of what the various things in the URL bar mean, if they're even aware of the URL bar at all, as decades of user research have taught us. So it always just comes back to hand-wavy stuff. And hand-wavy isn't enough to justify the cost of the system.
Meanwhile, we have real, hard evidence that even technically-literate, security-savvy users can easily be fooled into giving up their credentials, and even will bypass mechanisms intended to get in the way of them giving up their credentials. I'm going to keep plugging this phishing talk until everyone has internalized that message:
We have various case studies of different websites using them and then switching away from them without any user outcry - again, showing they are useless.
We have various examples of CAs making highly misleading claims with a clear intent to financially benefit themselves.
We have a "warranty" that no one will explain what it means.
We have major browsers, saying they are worthless by removing their special treatment.
We have major websites voting with their feet, never using them, indicating they are useless.
Its extremely unclear to me exactly what you are objecting to. Maybe if they were useful, then, they would be useful, but, that's circular.
Comodo has apologized for incorrectly revoking the certificate for stripe.ian.sh and offered a new EV cert.
https://www.comodoca.com/en-us/about/blog/on-comodo-ca’s-rec...
In fact, many browser security developers would disagree with your assessment:
https://groups.google.com/forum/m/#!topic/mozilla.dev.securi...