[ladon86]

It’s a continuation of the trend that led to them removing Extended Validation indicators: https://duo.com/decipher/chrome-and-firefox-removing-ev-cert...

Here’s how they used to appear: https://pbs.twimg.com/media/EBxdA7EWsAIQtc0.jpg

While I buy the reasoning that consumers simply ignore them, EV indicators would be really useful in a corporate setting to mitigate phishing attempts against employees. It’s much easier to train employees to “look for your company’s name in the green bar” before they sign into a site, than to understand how domains work and why login.yourcompany.com is OK but login-yourcompany.com isn’t.

Does anyone know if it’s possible to restore EV indicators in Chrome via MDM software or similar? Does anyone work at a company that does this?

[throwawaaarrgh]

> EV indicators would be really useful in a corporate setting to mitigate phishing attempts against employees.

Our company puts a big red banner on the top of all emails that come from an external source or don't have DMARC/SPF/DKIM/other security protections. Literally nobody ever checks the banner. It has no effect on phishing click rates. People do not read, or think. They just look for wherever it is expected for them to click something/fill something out, or just click random things to see what something might be.

The only thing that has marginally improved click rates is when we either gamify it, or put all external mails in an external mail folder marked NOT SAFE.

[pixl97]

If you had a tornado siren go off every 20 minutes every single day of the year, how long before you stopped ignoring the siren? How surprised would you be when a tornado hit 2 year later?

"This product causes cancer" is ineffective when the warning is plastered on everything. Same goes for warning in computer systems.

[andirk]

San Francisco had a tsunami warning siren that was sound tested every Tuesday at 12pm for 30 seconds. It was fun!

It needed repairs so they dumped it. Few weeks later there was the 1st tsunami warning in ages but it went thru telephone since they dismantled their warning siren.

[yamtaddle]

Every week? Damn, that's a lot. We do once a month for tornado siren tests, where I am. And not all year, but of course tsunamis aren't seasonal.

[deathanatos]

Yeah, weekly. (Can confirm.)

I always felt like it sounded like it was saying "noooooooooooooooooooooooooooooon on a Tuesday" to me. Lunch time.

Also always felt like around noon on Tuesdays, we were completely vulnerable; if anything were to happen I would have heard the siren, and wandered outside looking for grub.

There is a subset of San Franciscans that do not hear the siren, too. On a pretty common basis we'd discover someone in the office who had "never heard the siren", somehow. I'm not exactly sure how. It's easily audible inside in the FiDi, and it was audible in the North Beach when I worked there.

[andirk]

At my doorslam job, they hired a Director of Engineering Architecture or whatever title. He had a strong background in security, they said. Yeah well turns out his background was he led the offshore team that built an anti-virus company's .mobi website for 9 years. 1st hour of 1st day, he clicked the anti-phishing test "Click here to update your drivers" phishing email.

[sedatk]

> EV indicators would be really useful in a corporate setting to mitigate phishing attempts against employees

I believe that kind of "negative awareness", the awareness that need you to keep checking if something has disappeared constantly doesn't work well in practice. You naturally develop blindness to that element, and therefore to its absence too.

[jve]

Long ago I was reading someone registered corp in some other jurisdiction with the same company name which he wanted to impersonate with EV cert. And succeeded.

So what are you proposing is of questionable value.

[X-Cubed]

That researcher was Ian Carroll, who created a new "Stripe, Inc" company in Kentucky, a clone of the one registered in Delaware, and was therefore able to get an EV certificate issued for his new company that looked very similar to one issued for the Delaware company.

His original research site appears to no longer be online (https://stripe.ian.sh/), but you can read more about it in these articles:

https://www.bleepingcomputer.com/news/security/extended-vali...

https://arstechnica.com/information-technology/2017/12/nope-...

[bmicraft]

A better approach would probably be to wildcard ban domains with your company name on the dns server (except for the real one).

[ladon86]

Good idea, that sounds very viable. Thank you!