<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Lucida Sans Unicode";
panose-1:2 11 6 2 3 5 4 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>I quite like this. Thank you for the update!<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Lucida Sans Unicode",sans-serif;color:gray'>Marissa (Reese) Wood, PMP, CISSP</span></b><span style='font-family:"Lucida Sans Unicode",sans-serif;color:#1F497D'> </span><span style='font-size:10.0pt;font-family:"Lucida Sans Unicode",sans-serif;color:gray'>| Cell Phone </span><span style='font-family:"Lucida Sans Unicode",sans-serif;color:#1F497D'><a href="tel:303-506-3282"><span style='font-size:10.0pt'>303-506-3282</span></a></span><span style='font-size:10.0pt;font-family:"Lucida Sans Unicode",sans-serif;color:gray'> | <a href="mailto:reese@mozilla.com"><span style='color:gray;text-decoration:none'>reese@mozilla.com</span></a> | Slack: #Marissa (Reese)</span><span style='font-size:10.0pt;font-family:"Lucida Sans Unicode",sans-serif;color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><b>From:</b> firefox-dev <firefox-dev-bounces@mozilla.org> <b>On Behalf Of </b>Johann Hofmann<br><b>Sent:</b> Monday, August 12, 2019 10:05 AM<br><b>To:</b> Firefox Dev <firefox-dev@mozilla.org><br><b>Cc:</b> dev-platform <dev-platform@lists.mozilla.org>; Wayne Thayer <wthayer@mozilla.com><br><b>Subject:</b> Intent to Ship: Move Extended Validation Information out of the URL bar<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div><p style='margin:0in;margin-bottom:.0001pt'><span style='font-family:"Arial",sans-serif;color:black'>In desktop Firefox 70, we intend to remove Extended Validation (EV) indicators from the identity block (the left hand side of the URL bar which is used to display security / privacy information). We will add additional EV information to the identity panel instead, effectively reducing the exposure of EV information to users while keeping it easily accessible.</span><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p style='margin:0in;margin-bottom:.0001pt'><span style='font-family:"Arial",sans-serif;color:black'>Before:</span><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p style='margin:0in;margin-bottom:.0001pt'><span style='font-family:"Arial",sans-serif;color:black'><img border=0 width=532 height=43 style='width:5.5375in;height:.4458in' id="_x0000_i1025" src="https://lh4.googleusercontent.com/pSX4OAbkPCu2mhBfeleKKe842DgW28-xAIlRjhtBlwFdTzNhtNE7R43nqBS1xifTuB0L8LO979yhpPpLUIOtDdfJd3UwBmdxFBl7eyX_JihYi7FqP-2LQ5xw4FFvQk2bEObdKQ9F"></span><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p style='margin:0in;margin-bottom:.0001pt'><span style='font-family:"Arial",sans-serif;color:black'>After:</span><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p style='margin:0in;margin-bottom:.0001pt'><span style='font-family:"Arial",sans-serif;color:black'><img border=0 width=469 height=280 style='width:4.8875in;height:2.9166in' id="_x0000_i1026" src="https://lh5.googleusercontent.com/kL-WUskmTnKh4vepfU3cSID_ooTXNo9BvBOmIGR1RPvAN7PGkuPFLsSMdN0VOqsVb3sAjTsszn_3LjRf4Q8eoHtkrNWWmmxOo3jBRoEJV--XJndcXiCeTTAmE4MuEfGy8RdY_h5u"></span><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p style='margin:0in;margin-bottom:.0001pt'><span style='font-family:"Arial",sans-serif;color:black'>The effectiveness of EV has been called into question numerous times over the last few years, there are serious doubts whether users notice the absence of positive security indicators and proof of concepts have been </span><a href="https://www.typewritten.net/writer/ev-phishing/"><span style='font-family:"Arial",sans-serif;color:#1155CC'>pitting EV against domains</span></a><span style='font-family:"Arial",sans-serif;color:black'> for phishing.</span><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p style='margin:0in;margin-bottom:.0001pt'><span style='font-family:"Arial",sans-serif;color:black'>More recently, it has been </span><a href="https://stripe.ian.sh/"><span style='font-family:"Arial",sans-serif;color:#1155CC'>shown</span></a><span style='font-family:"Arial",sans-serif;color:black'> that EV certificates with colliding entity names can be generated by choosing a different jurisdiction. 18 months have passed since then and no changes that address this problem have been identified.</span><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p style='margin:0in;margin-bottom:.0001pt'><span style='font-family:"Arial",sans-serif;color:black'>The Chrome team recently removed EV indicators from the URL bar in Canary and announced </span><a href="https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/h1bTcoTpfeI"><span style='font-family:"Arial",sans-serif;color:#1155CC'>their intent to ship this change in Chrome 77</span></a><span style='font-family:"Arial",sans-serif;color:black'>. Safari is also no longer showing the EV entity name instead of the domain name in their URL bar, distinguishing EV only by the green color. Edge is also no longer showing the EV entity name in their URL bar.</span><o:p></o:p></p><p style='margin:0in;margin-bottom:.0001pt'><span style='font-family:"Arial",sans-serif;color:black'> </span><o:p></o:p></p><p style='margin:0in;margin-bottom:.0001pt'><span style='font-family:"Arial",sans-serif;color:black'>On our side a pref for this (security.identityblock.show_extended_validation) was added in </span><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1572389"><span style='font-family:"Arial",sans-serif;color:#1155CC'>bug 1572389</span></a><span style='font-family:"Arial",sans-serif;color:black'> (thanks :evilpie for working on it!). We're planning to flip this pref to false in </span><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1572936"><span style='font-family:"Arial",sans-serif;color:#1155CC'>bug 1572936</span></a><span style='font-family:"Arial",sans-serif;color:black'>.</span><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p style='margin:0in;margin-bottom:.0001pt'><span style='font-family:"Arial",sans-serif;color:black'>Please let us know if you have any questions or concerns,</span><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p style='margin:0in;margin-bottom:.0001pt'><span style='font-family:"Arial",sans-serif;color:black'>Wayne & Johann</span><o:p></o:p></p></div></div></body></html>