Security at a glance

General project discussion
Forum rules
This General Discussion board is meant for topics that are still relevant to Pale Moon, web browsers, browser tech, and related, but don't have a more fitting board available.

Please stick to the relevance of this forum here, which focuses on everything around the Pale Moon project and its user community. "Random" subjects don't belong here, and should be posted in the Off-Topic board.
Locked
User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 27932
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Security at a glance

Post by Moonchild » 2019-10-28, 01:01

In this post I'd like to touch on a rather disturbing development in the browser world: removal of security-at-a-glance, or further watering down the awareness and value of proper website security through https.

Why now? Because as a side effect of finding a reference for explanation of our UI, I read that Google Chrome 76 and Firefox 70 remove the special indicators for EV certified sites. Firefox 70 having just hit the release channel.
For those unfamiliar with the various terms, EV (extended-validated) is a very strict certification reserved mainly for banks and other high-stakes websites that need legal and financial insurance from certificate authorities for the security of their sites. The indicator in Basilisk and Pale Moon for this is a green padlock and identity name display in the address bar.

As argumentation for removing the indicators from view is the backwards logic in a study by Thompson et al that "it requires the user to notice the absence of the EV indicator on a malicious site". It's backwards logic, because the study assumes that users have not been made aware of basic security practices when browsing and find nothing wrong when e.g. their bank suddenly isn't displaying the bank's name in the UI to indicate that yes, they are indeed connected to the legal entity they want to connect to. Removal of any distinction between EV and non-EV does indeed remove the fact that a user would have to notice the absence of the EV indicator, because no such indicator is ever shown any more. But that doesn't solve the problem, quite the opposite! It's like saying that neutering a dog has improved the dog's health because there's now 0% chance of testicular cancer.
Even more so, making the website security indication exactly equal (both in display of information (or lack thereof) and display of any other distinction (color) that it's EV or not) to the indication used for what has now been trivialized to 1-factor, automated "validation" through Let's Encrypt that anyone not even connected to a domain or its owners can get certificates issued through, absolutely ensures that the users will be completely oblivious that they are on a malicious site, by removing security-at-a-glance from the browsers' UIs in these browsers. Even the ones normally aware of what they should look for -- because nobody is going to religiously click the padlock to check if the details of the connection are correct every time...

Having a UI that, in one glance, provides you with all the necessary information to know if the login or transaction your are about to perform is safe is absolutely essential for using the Internet where every user can be exposed to criminals if they are not careful and conscious about their actions. A web browser is supposed to be a tool that helps the user navigate the potentially dangerous waters they are in on the world wide web. We've done a good job of it in the past few decades, but what mainstream is doing here is really unacceptable.

Mozilla touts this as "improved", but how is ensuring that a malicious site looks exactly the same as a legitimate site improved when compared to clearly indicating EV certificate identities? Prominently displaying http sites as "not secure" is also not an improvement, because any malicious site, as said, will easily be able to have a certificate issued to them through LE and have a valid https connection without any trouble. Even aside from the fact that many sites don't need https per se because they don't handle sensitive data (although that's just an aside here and can be discussed elsewhere if desired -- please don't detract from the core of this post by going off on that tangent if you want to reply).

I say it's several steps backward in terms of having a proper browser: (1) it removes essential information (identity name) from view, (2) it removes clear distinction from the UI between painstakingly verified legal entities and trivial automated issued certificates that anyone can get anonymously and will never be revoked, and (3) completely misses the mark for "secure browsing" with the "not secure" indicator on http sites that should be reserved for websites with broken security, not sites that are intentionally not using encrypted traffic; any malicious site trying to steal credentials will be using https to be successful these days.

Needless to say, we will not be following this trend and you can expect to continue seeing identity names and green padlocks for EV websites in Pale Moon and Basilisk.
"There will be times when the position you advocate, no matter how well framed and supported, will not be accepted by the public simply because you are who you are." -- Merrill Rose
Image

User avatar
New Tobin Paradigm
Knows the dark side
Knows the dark side
Posts: 7898
Joined: 2012-10-09, 19:37
Location: Space, maybe..

Re: Security at a glance

Post by New Tobin Paradigm » 2019-10-28, 02:29

Needless to say, we will not be following this trend and you can expect to continue seeing identity names and green padlocks for EV websites in Pale Moon and Basilisk.
And Borealis Navigator, if it ever reaches release..
Last edited by Moonchild on 2019-10-28, 08:21, edited 1 time in total.
Reason: Added quote for clarity what the remark refers to.

Image

- Provocative and Fascinating. That's two great things! -

Image

Locked