Security at a glance

[Moonchild]

In this post I'd like to touch on a rather disturbing development in the browser world: removal of security-at-a-glance, or further watering down the awareness and value of proper website security through https.

Why now? Because as a side effect of finding a reference for explanation of our UI, I read that Google Chrome 76 and Firefox 70 remove the special indicators for EV certified sites. Firefox 70 having just hit the release channel.
For those unfamiliar with the various terms, EV (extended-validated) is a very strict certification reserved mainly for banks and other high-stakes websites that need legal and financial insurance from certificate authorities for the security of their sites. The indicator in Basilisk and Pale Moon for this is a green padlock and identity name display in the address bar.

As argumentation for removing the indicators from view is the backwards logic in a study by Thompson et al that "it requires the user to notice the absence of the EV indicator on a malicious site". It's backwards logic, because the study assumes that users have not been made aware of basic security practices when browsing and find nothing wrong when e.g. their bank suddenly isn't displaying the bank's name in the UI to indicate that yes, they are indeed connected to the legal entity they want to connect to. Removal of any distinction between EV and non-EV does indeed remove the fact that a user would have to notice the absence of the EV indicator, because no such indicator is ever shown any more. But that doesn't solve the problem, quite the opposite! It's like saying that neutering a dog has improved the dog's health because there's now 0% chance of testicular cancer.
Even more so, making the website security indication exactly equal (both in display of information (or lack thereof) and display of any other distinction (color) that it's EV or not) to the indication used for what has now been trivialized to 1-factor, automated "validation" through Let's Encrypt that anyone not even connected to a domain or its owners can get certificates issued through, absolutely ensures that the users will be completely oblivious that they are on a malicious site, by removing security-at-a-glance from the browsers' UIs in these browsers. Even the ones normally aware of what they should look for -- because nobody is going to religiously click the padlock to check if the details of the connection are correct every time...

Having a UI that, in one glance, provides you with all the necessary information to know if the login or transaction your are about to perform is safe is absolutely essential for using the Internet where every user can be exposed to criminals if they are not careful and conscious about their actions. A web browser is supposed to be a tool that helps the user navigate the potentially dangerous waters they are in on the world wide web. We've done a good job of it in the past few decades, but what mainstream is doing here is really unacceptable.

Mozilla touts this as "improved", but how is ensuring that a malicious site looks exactly the same as a legitimate site improved when compared to clearly indicating EV certificate identities? Prominently displaying http sites as "not secure" is also not an improvement, because any malicious site, as said, will easily be able to have a certificate issued to them through LE and have a valid https connection without any trouble. Even aside from the fact that many sites don't need https per se because they don't handle sensitive data (although that's just an aside here and can be discussed elsewhere if desired -- please don't detract from the core of this post by going off on that tangent if you want to reply).

I say it's several steps backward in terms of having a proper browser: (1) it removes essential information (identity name) from view, (2) it removes clear distinction from the UI between painstakingly verified legal entities and trivial automated issued certificates that anyone can get anonymously and will never be revoked, and (3) completely misses the mark for "secure browsing" with the "not secure" indicator on http sites that should be reserved for websites with broken security, not sites that are intentionally not using encrypted traffic; any malicious site trying to steal credentials will be using https to be successful these days.

Needless to say, we will not be following this trend and you can expect to continue seeing identity names and green padlocks for EV websites in Pale Moon and Basilisk.

[New Tobin Paradigm]

Needless to say, we will not be following this trend and you can expect to continue seeing identity names and green padlocks for EV websites in Pale Moon and Basilisk.

And Borealis Navigator, if it ever reaches release..