1583056 - Remove Autoresponder from mozilla.dev.security.policy list

Status: RESOLVED FIXED

(Infrastructure & Operations :: Infrastructure: Mail, task)

Description

[Wayne Thayer]

Gijs reported receiving the following message after sending a message to the mozilla.dev.security.policy mailing list. Please remove the subscriber who sent it - probably a @worldskills.ru address.

-------- Forwarded Message --------
Subject: Website owner survey data on identity, browser UIs, and the EV UI
Date: Sun, 22 Sep 2019 14:49:21 +0000
From: UseDesk Bot <bilet@worldskills.ru>
Reply-To: bilet@worldskills.ru
To: Gijs Kruitbosch via dev-security-policy <gijskruitbosch@gmail.com>

Здравствуйте!

Спасибо за обращение в службу технической поддержки. Мы скоро вам ответим.
Если вы пишете о проблеме или ошибке на сайте, мы сможем быстрее вам помочь, если вы предоставите следующие данные:

Дата и время, когда вы столкнулись с проблемой (по Московскому времени)
Логин/пароль профиля, в котором обнаружена проблема
Браузер, которым вы пользуетесь
С какого устройства вы заходите на сайт? Это телефон или компьютер? Назовите операционную систему
Перечислите действия, которые привели вас к ошибке (по порядку: вы вошли в свой личный кабинет, что нажимали дальше, что вводили?)
Приложите скриншот или видеозапись, где видно ошибку

Вы можете отправить эти детали и дополнить заявку в ответном сообщении.

Отправлено с помощью UseDesk

2019-09-22 14:49:20 UTC Gijs Kruitbosch via dev-security-policy <gijskruitbosch@gmail.com>:

(For the avoidance of doubt, although I work for Mozilla, as noted on
the wiki I post in a personal capacity)

In addition to Ryan's excellent points, I wanted to briefly point out a
few things related to your survey:

On 22/09/2019 00:52, Kirk Hall wrote:
(1) *97%* of respondents agreed or strongly agreed with the statement: "Customers / users have the right to know which organization is running a website if the website asks the user to provide sensitive data."

Although I intuitively would like to think that we have a right to know
"who is running a website", this doesn't mean that EV certificate
information is an appropriate vehicle for this information. Even without
all the significant issues that EV certification has, if we pretended it
was perfect, it still only shows UI for the tls connection made for the
toplevel document, whereas other resources and subframes could easily
have (and usually do) come from other domains that either do not have an
EV cert or have one belonging to a different entity. And even if that
were not the case, the entity controlling the website does not
necessarily control the data in a legal sense.*** So the EV UI does not,
in the legal sense, always indicate who will control the "sensitive
data" that users/customers submit.

(2) *93%* of respondents agreed or strongly agreed with the statement “Identity on the Internet is becoming increasingly important over time..

This sounds very nice but doesn't mean anything. What kind of identity?
Whose identity? Important to whom? Why does it have anything to do with EV?

(3) When respondents were asked “How important is it that your website has an SSL certificate that tells customers they are at your company's official website via a unique and consistent UI in the URL bar?” *74%* said it was either extremely important or very important to them. Another *13%* said it was somewhat important (total: *87%*).

This again sounds very nice, but surely the actually important thing is
that (potential) customers realize when they are *not* at that official
website when some other website tries to persuade them to part with
their data/money (so that they don't, or if they do, don't blame the
"real" company later)? As has been pointed out repeatedly in this forum,
we have pretty good evidence that customers do not, in fact, realize the
absence of the EV indicator, as well as evidence that such indicators
can be "spoofed", viz. the Stripe Inc. work.

If anything, this survey shows that the 87% of people who thought this
was important misunderstood where the risks of digital identity
confusion lie.

(4) When respondents were asked “Do you believe that positive visual signals in the browser UI (such as the EV UI for EV sites) are important to encourage website owners to choose EV certificates and undergo the EV validation process for their organization?” *73%* said it was either extremely important or very important to them. Another *17%* said it was somewhat important (total *90%*).

This implies that the UI is the/a main motivator for people to get these
certificates, but doesn't by itself have any implications for the
importance of that UI in keeping consumers and businesses safe.

If 90% of people surveyed think that people should wear helmets when
cycling, that's good for people selling bicycle helmets but doesn't have
anything to do with how effective those helmets are at preventing
injuries in cyclists.

(5) *92%* agreed or strongly agreed with the statement: “Web browser security indicators should be standardized across different browsers to make the UI easier for users to understand.”

(6) Finally, when asked “Do you think browsers should standardize among themselves on a common Extended Validation UI so that it appears roughly the same in all browsers?” *91%* said yes.

Both of these actually appear to be arguments for Firefox not to
reinstate its in-address-bar EV UI, given that all the other browsers
have moved this information out of there. The most consistent UI is only
providing this information when activating (clicking/tapping/...) the
lock icon, which is what browsers have now pretty universally implemented.

We again recommend the binary Apple UI to all browsers, which works in both desktop and mobile environments and distinguishes between EV/identity sites (with a green lock symbol and URL) and DV/anonymous sites (with a black lock symbol and URL) – check it out in an iPhone. (Apple did not eliminate the EV UI, as some has erroneously said.) This is easy for users to understand at a glance.

With due respect to the good folks at Apple, I do not believe this is an
accessible solution (distinguishing information only by colour,
https://www.w3.org/TR/WCAG20/#visual-audio-contrast ).

Additionally, (even if we presuppose EV certs were perfect) it does not
help address the requests made in your survey's questions #1 and #3, ie
which organization is actually running this website or controlling your
data? It only establishes that *some* organization got an EV certificate
for this site... you'd have to click/tap through to see, and your own
recommendation text here suggests this is "easy for users to understand
at a glance", glossing over the fact that they would actually have to
click through to see the identity information that you think is so
important, and that even then they may be vulnerable to confusion given
all the prior research into how poorly enforced restrictions in company
registers are in many countries, the possibility for confusion across
jurisdictions, etc.

In other words, it is not "easy to understand" at all...

~ Gijs

*** This may be a confusing point. In the EU, under GDPR, it appears
(IANAL) to be legal for an organization to run a database and front it
with a website allowing modification, on behalf of some other entity. In
this case, that other entity is the data controller, the website
operator is "merely" the "data processor". For a practical example, the
UK electoral register (or "electoral roll") is considered held/"owned"
by individual councils, but usually updating their records is contracted
out to private companies as it's felt they'd do a better job than the
small council's own IT department in managing/securing this data. An
example is ERS, whose privacy policy is here
https://householdresponse.com/Home/Policy . The certificate is for
"Electoral Reform Services Ltd (GB)", but the data controller is
actually the respective city/town/borough/county councils, and if I
wanted to request copies or corrections of the information held on me
from the register, under GDPR I'd have to contact my council, not the
company running the website; ditto for requests to "stop processing [my]
information".
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Comment 1

[Corey Shields [:cshields]]

Removed from all lists. Thanks Wayne.