Skip to: [ search ] [ menus ] [ content ] Select style [ Aqua ] [ Citrus ] [ Fire ] [ Orange ] [ show/hide more content ]



Extended Validation Certificates and Cross Site Scripting

I recently read an article on Netcraft’s site (of “What’s that site running?” fame) citing how a cross-site scripting (XSS) vulnerability on the popular SourceForge.net’s site shows how Extended Validation (EV) SSL certificates could be exploited by “fraudsters.” The article talks about how to create an effective “phishing attack” that would retain the green bar in Internet Explorer 7 (and recent nightly builds of the Mozilla Firefox web browser), deceiving folks into believing that the site was valid and safe. The article fails to mention whether the Firefox builds were only Windows builds, or not.

I am not specifically in the “security biz” anymore (anymore than we *all* should be these days), :-) but I thought that I would post the link, since a lot of my friends and former coworkers are. The discovery by Netcraft is believed to be the first documented case of XSS on an EV SSL website.

Personally, I have always thought that green bars were just something else to fudge (raising the “bar” a little higher, if you will :-) ). I believe in using safer operating systems and application software and in trying to avoid doing stupid things (like using less safe operating systems, application software, and *practices*). I also believe that most systems are vulnerable to determined attacks by dedicated experts, or the government, but that some systems have shown themselves to be much less secure (and less scalable, and less reliable) than others.

Those who are still in the security biz may want to look at and evaluate Netcraft’s comments.

-Bill at Cheshire Cat Photo  

No Comments to “Extended Validation Certificates and Cross Site Scripting”

  (RSS feed for these comments)

You must be logged in to post a comment.


InspectorWordpress has prevented 52153 attacks.
Get Adobe Flash player