|
|
|
Where`s My Green Bar?
By: Larry Seltzer
2008-04-25
Article Rating: / 4
There are 3 user comments on this Network Security & Hardware story.
EV SSL doesn't mean the same thing on all browsers. Who has the best approach?I'm a fan of EV SSL. Like a lot of
security technologies, it's far from being a silver bullet, but it's helpful.
It's also, perhaps, harder to implement than it may at first seem.
EV SSL is short for Extended Validation
Secure Sockets Layer, and refers to a special class of x.509 digital
certificate particularly for Web servers. It was developed by an industry
consortium called the CA/Browser Forum,
which is made up of certificate authorities and browser vendors (notably, not
including Apple).
One part of EV SSL that makes it both
more authoritative as a certificate and more expensive as a product is that
there are detailed and strict requirements in the specification (PDF)
for how certification authorities verify the applicants for a certificate.
The spec is full of checks that the CA "MUST" perform.
The other part of EV SSL is that it
mandates a change in browser behavior: The browser address bar turns green when
viewing an EV SSL site, and there are other
guidelines for making the certificate holder's name more prominent. With
earlier browsers and certificates, actually checking the cert holder's name
could be quite a convoluted process.
So what does it mean when the browser address bar turns green? Under the EV SSL
rules, it means that the top-level document is signed by an EV SSL
certificate signed by a trusted certificate authority, the biggest of which is VeriSign.
But the top-level document isn't all there is to a Web page. Pages from the
sorts of big commercial entities that would buy EV certificates are often
composed of elements from numerous domains, and the EV spec does not require
that all of them have EV certificates. For instance, use Internet Explorer 7 or
Firefox 3 (still pre-release) to look at the home page of PayPal. PayPal is
the poster child for EV SSL, and it has
decided to do everything it can to protect its brand and identity. But it hasn't
got there yet.
The top-level document and some key elements, like the main PayPal logo,
have EV certs. But other elements on the page, such as this
graphic, do not. Browse the first one and you get a green bar; browse
the second one and you don't.
What are the implications? It makes cross-site scripting attacks more
serious, because the user will still see the green bar even though portions of
the page are from a different site unprotected by the EV certificate. I don't
want to overstate the danger of cross-site scripting, but neither do I want to
understate it. Some very famous, important sites have experienced cross-site
scripting attacks. They are difficult to eliminate because it requires consistent,
good programming practices. You can't just plug in a security product to take
them away.
This problem will start to become a little more pronounced soon, when users
start using the next generations of the Firefox and Opera browsers. Both
support EV SSL and will thus increase the
awareness of SSL. (Apple appears to have no
plans for EV SSL support in Safari.) One
difference about them, as opposed to IE 7, is that they do not turn the whole
address bar green, but just a small portion of it; I have to say I prefer the
IE approach, but it's a little early to say one is right and the other wrong.
But Opera goes one major step further than the other two browsers: It does
not turn the address bar green unless all the elements on the page have EV SSL
certificates. The following sites all show green bars in IE 7, but not in Opera
9.5 (Beta 2):
There are sites that make Opera go green, though, including these:
For the most part, the sites that go green in Opera are simple ones and not
high-profile, the Deutsche Bank site being an obvious exception. Still, it's
sobering.
I'm always leery of making the perfect the enemy of the good. I wish that
more browsers were stricter about EV SSL, or
at least offered a strict mode. But that doesn't mean that EV SSL
is not a useful thing. It is, and the sorts of sites that might be phished
really should adopt it. A good plan for adoption of EV SSL
would also include a concerted effort to remove the sorts of vulnerabilities
that could diminish its value.
Security Center
Editor Larry Seltzer
has worked in and written about the computer industry since 1983. For insights on security coverage around the Web, take
a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.
|
|
�������x}r6*(g,푧dK#Y^K3ޙ:U*$�%)_|u^<�.d$Lb["Fh4��{C>O:ft�cnQ?sOuޛ'w߽ ��?F0�Y[�Ϡ^='N-w5� E]0eNzNv@ ��q@��Dwo$�>J� &Ԟ@�adJ4'oل^ߗ̙6Q01'�.hѲ
⌳Il_Pk$ȁ_
E9�*!%>���eY&H|2c�ַ8>v P=2r3͛6B�uK$�!�1QbD�g'}�~���70va=�w@SѠ*"U�{aUh��/� /�\1r.bLռ;��F/�[)NrD�FLNH
�հ�HI z:r,#����c9��NRY R�k3�t4Ԭ�kvާ9�]��o�ԏ`�-y~0[<�I%$�7
:\ܪRNxO,Ӈw�$lǦ"�Um_j|�4n9s8"sz5
�w�E5b�6�j�ۆ@ظ�?0�}���O�L�E��sˑ$iFp0閩�l�Huw*ZbT9K[C
L{hT�ݙw�,�vW� �pdi�vd5M-0�M;�އVF�r�H� m��|#i[oL;0Q\�&*+Jxk�>:sو���lnAZ֪V�/z��o�g��b
M���u4}'_�J-2�uL�xi}FryI-IRs$�t;�پB$u#��7�7#Re1�$,�cM�|�Am�dƩ�$|��S;Gk__Ѭrxx[cW)���r�
4s;�n�Z�a4z�AL5�&:h�)5?�&FĚb.L2o2zʥ�:)`I˪�
TY��&嗋�mQu3
.r�!"x^3t� �BD ��`o8{ØWX*\�E��:NQ'm��5>l;4�}t>�$��4icŦ�h\OM�r�Ӈ��!L��~��ͣn]=&tno7,AbG��a`Ψs!FAтMx>kIMl�Mߟ�̀=�s#08�w�ɽ 5����Q
n(?|a���q�jQ?]�*3<9���D>�7}��h5F�&��QcSB�]jC8o$N˕����(G))yC{"��hI#r�����
BгSX"C"'OA7�w$]KI+\fD8�nO�u8�gˏ�ڹLX.QI,p[/ �͙JRdQU Q="`&�Q%a*0pRx5Vn/jc٦ByA�Y$)M�I�eEV�!=�H3.NiÔCӠs=���_#f5mV�AL �
�|�U=kb�$`~f�
�?u�r@,�H�od��koռE_x�ee8HyK-#�rȇj7�{p.�E�6Gh�?40���&Ϳ;���SslR6qcQTH4)Ȕe�8ʪVUR+J}�sf8�,� �J;2H/F>mT.mT^GΧޙ�yд��"w=: S-`tӱ; l�ϣ )a!��w1��J[Y�*,b3)T+zF
�끊�_E30c� ؈ޓȁUraXO3Ņ堳쟷הU#??q6oZ- �V�Uu�>8`C�L�mRǦE}B5ߴ�iF+eu�ff!f6墢ĴJ~�5<�%X]K2X�rƎe9�ٔA�5n\?0�Sʤk�h��z�hSXGssDb<"T
paLH�a0�3M��lqؼ7,k�ɜN�4:E�80�'e9#b+;ꭧDžL,#WԶͶwQ+ xH1�kM8v�ɇE>&V{E;��c
�)gpI,�_��ta@Cv�P��\QT1.#_L��_LQ0(TK�nQ�E^a~�V��K�Ŵ�h��T{}S�ː
0gted��-.V�jL�o39Ԋ%Z�gD+/9N]C'x�/Mqמ8��ܩvPCӨ7?�!n8hk0�{]w+\kOμ��+�;2E�<&��{H�%X*\#yVa/bҧJǦ8H�zU0�H5YU�[�M�Ν�.���Џ]��!.��~0)�X@�P A6+8SU_,JT\�rO�-8-_k1�&E`���]QӲkTVQqi?q;t跸6]
Q�|z0fƏ^WeaY[�"W�kE}fW�c7{)h�"QkF��FdD�t=Έ#6RPj*6�k};`[�Ek欭h�+,s��V ЛiQdS7El�jC��"a'۽%�̍/e?f#�Äon)J�Vg
HW4ČekRฦKӤ̭6#ohksߊ"�*y4*sfH信LfЮ%�H�k798$[mv_&*|92S�G�EXqkTV�c-(̼�\X�R9փlz�(2�|ޝxAc#&�aܨxo
b
PkQ�KK�Iռm0R�KbU) Bo_D��5jlm��
��l⊗v�~XC+�τkox~�E�6�2j>kR9,ԕO��Oe3q1䌸8DXx��`6
�5]st53ӸZC8f'S�IlgYV&Uq]t3Mc>ր�h
k0>2RiI
+U~�UL&2��%SS]����8arOn{W9Ԍ!0�J$GJIUKU�jZ�'0�隆�}��( JQ)��ݣ,z$�ߥd�0JE��`7�'�ɠ��K=� �J�\|V
n�i*�8fX&1W+�+ڼ d@48&���G&>N�ПBQ`n�о(&w,�I�@�~5}��
+f[I)7�m9<"EmS�Fx�W�i_u�{WGue}q92��ﵲRy<��8)߾juD��-.nzﯚvq�Q^��ɷ9J�]�J@�Ώ&
I1ڈW2Q,!f}uކ:A�hy+ 8dGWN{A+t�7�+%YӻI}'
z�s5A A��KBV�48iq_nSo4�jG�Yk�NE�m�͘-O|�B�[QqB�=JfƓ4vˢuʳeь9r�tJ)SBt�F(2H PU,O$e=l�I2 KBh%bbVHGRo�ݸڞ6<1ޥ]ƙ%mK$��Ζˬ�(�̗4.נ��F'��+�`-;|C?OSJ[L�XuTդ�
g[^UHN~@���R>Cp0S�`0#�,(Ra�=rxXͳ61@뀴m@��Nx�7Ć#^@)s^XL2k=�x/[gY6/t0wϾ��!_�m|oYM2G�z1= n�QM�t�v�zv`sgk3
{:`A��O[[ıp߆�
@.�r�os7&N[Ә ucA�I��e>x?HАݛ�-p�8#�L[_w듺�FC\joų~~^�7�~Zؖ[q@�Ǡ#�R�#K1M&�(jAUH*"qۋ�G#S~`q8-<���&iulځ;�-�3(�mm3{zi�^9_3{K�NWK}�U����4ϯ3i8e~W�J�M[i}E)]K5"�v�ًK*qN(qQ�) { �G�XHڃ}mo[#D:*p&�^�zQc%F}?^�Sϗ,t4?�q27
~~+lFY:Өcs'��2_N#V, }e��QT�#xLy3fG^q �?�PDG;N^R\xQHɺ*/cWc�˲}�:2<�lYRU/�evy5`lj>q$�:�;RG�FY&1+w}�5HpU�e AnɎ!D\GNK'dB1
�Y�8��nhH�h,OMJM{L�t�P:NA1�ahςΒN0t<�r�ԟՄ.e�xs�9qgW�&,I�'#1?�ی
ف��X=:Q�Á�"�-`xUH%ܲx�M_�}�m˄>Ñxړ8*@5R!>Z�?y:yhBę�a(~�
�Qh�J(Bo�@7
mP�6PB��bg�+eO13r-%b`�q@�7B{g;��5&TR�^Q+:U:ZtWh_տJGkq�
1w|��r2
碳懕SſNWK:]uZt�h�7}�+!J?�m:qA36�?з{��I4,?[&$�I6�TW?Y�k"�)|9�_�t8�톎g%�!�Y{�cPk�2es�3�G#Ӫ=ƴ��k'q4$pF1^+CL#=�'9�0.xDb�;=Ma
��00 o#?PǸn3[]y~Ld$S(,1@�^t
`\{t�駟¤Z�t$;A[DD;�)�Oc=q� �XOeD6-tX�]kN9-(JRi!Jmܷ�6�7_�
���$e�_Mt,}a,E�C��w7,iBeu~�rj�я�b�Wi.\$�e9Ld�$Ǯ,�-3B23=,{�+ϸW$H7Q�$
G?�2.Ĵ;+� ,�y憈J-9"G@�� �ƒ"q�
�9��AE!�Twxe3)�4kaXnbS�Z�hݓK�c.a;*�*%�|�Z�iE�]N1
2Vx�u5WHk̘1P;HqU6'�a{ԥ�BM\�E�*Z!Ѥ�F�1C�/ku��llN��!Ve
H�'ܪsI�&�
�]'ஹ�fQZ+)pN\�:]s§�%�,T/ae�Z}v#u[�Wu�z^.b-u�IK'0��ツ�R6>�9��bH.LOkG� �e
az�gx+р0m���<�}]u'Rp}
�"׀u8��L`BC�g�]ˉC~Jګk&9_`c�i65'7s>vRRP�{���c̞j۫u퇩Ƈa[��ͬ{[S+�g9ۅ]�aiJ"%Φ0�'rٚmj��6�~��i�~LWQ]n9rR4qɎW}�#ZIHx�5JǡӸUL(ZpB!1��I\MR�,6$Ae�ux
}>$Y�0Q启J"�r+L�>ϲyJ'`߄_ɀo}���UQ>T��:�>jN����&̋XHt<.&Ȑ~GZx�̥dz�Ƞr
�q,�Ye)z-�2�'AU}�H?Km1RUG���P5�6�0\''V�C!W~5�na��o#Q_����:�}GL��%�a�]��̇;
T@� C�O�
2��xwKG�:K}`H��{K>zS=�?ݘ#!+^�bɳ{#Nn\C9��}�h�\`srVxcbB1��S
Ws�gM[fBE<
,i
g� k(E�$�73A؝쾋L�s<�3DD�^ôukfĄA|'m�J,:U>|赯�[?� T6!�1�g�P(AuI5?<*}�ڽ�9��T��&}�fAm�����e�OL)!H0Z�L4�Xh0u�s���Xc�� Ʃ~�V�x�m��)lD
��23�f)8._
l9�:We@�g�>�0u�s�dT9s!aZ;�/J$Ѕ:�y,@#!��9ω��q{rniG'\虞^@�(�+)a���B�h),f,�-ה\�&uMƧC(�;Ib(�eEQxCb�PLfE#U�OiB�R,
��?j١�~ dSm&�Mf
r̝4;�y4MEOg7k{ߏg��_QvBxֻxj]ߴ�sӃ�R6;&�E`<�e�jF9!3ѢksYx�)K�N��IK"Y 3@cqq�>o�g�Y��
�Ue5DU@*}q7���!~ټij6Z[�A{q�Y/N|v˒3:o|jQ=����uRؕ0\js���@1@C|ouZg�һjEY|$V}Q�vdw�埠SF
߬/?k�62{P(GN�/o�
3(?[_~�9Ϡ�{(;l/o7s'fF9�3r~]?#\_��0t3Ƨ�f�Y�v>�tw?��f'UF>@K((�#�r�߫�ʐ+���{z��_?3�x�&~F~F����=���ʡ�2�!~P~U�{mF�y���rָƅ)�iFy9wr/
苬 OY射:(?�}V<_`}
,c3\)N
Я!��7�~2A?zBX\Jzp+Wϼdm4Zk8VӮnp_l(Σ�_xi� �+�
Y�<"q.�
3l?V\[[,Oн�ۺ{�ϊrݓs+z`~Hc�1پWߕ\~UnE�+t"LkXE)9�8yÜf1'\5L��|,y��e8�Nt��L�w~/,3yK�-Lyڃ�~�r m>G$6[W_/�ydֺWWV��7�mLP0 Oݡσf�ţu>TVl<- �5�Q3[� ƈC�o�� FfھZ�eR 76և#{�xuCZ7Wqb�^d,)+x�}s&pN!3J81�|�fZ���gѥ8�!r}DM)5�QjȺT_i{�n`'ߛ8�@��D$GJIUKJ�~+jZ�W߰o`8 "8�e(Ȓ\#}a`Պ|X.U�&���K=#
��.mm3_ &�'N��"�3q<@>>�M�!���&m\͠mC�ao/�cK�ZS�÷`�\g;]Ǚ[�M3�Y&38]�!�=7.@c�mdG�"k�)L=�[��^6\A>|#]MfD��r&ߢ5zOG�U1PX��Ȳn=ó�6^I�F�'vQ�eҿ~
�j#�0q�O�
�,7��g!X3Wd]d
�A_d|bh6Mx�*�U|6�n:8Y0:u��M�hu%OX��VX#e� �k_3�PSFӾ&}ǚo��Ã2&��6LGÇ5 (MP"3�qm$!38x�K%�(*F�V�n,='�ID/j���˦UMfR�4=�woKP2�$0\d�~\g;Thw[�i>ͷ �bi?���v"酰xC Ԃ����X戄=$~5|w,Cfc��s���#m^Π&b/�MzKVo;j[@�(&�]�a�ьU%̝,A'�Tr,H>Nw�'|o#/)0XP�yw4w<�l`Ɉ�09��`��%լ`?�9����A&{禭ٺ*\4fR*4l;�$t
����e[� |kc'p���!
X��0�3�<ձw
^g�t#>Ƌ�rd{GoڻV<�HPWFWݞO�,�/Xo}�8l��/�dz ṕ!Xs#Q�&I`
<{*h;�ܨNaEVb05�yMvͳF}��dtK��&b[pQ@
lџfL�.�ѮB`nbbq�Y;g�lKw6G_d
m/Wvm:�mmlP/>yOW}Q糺�a|dt%k^FzHM`WH{�+W�r 1e~8Ş�i#$W @ }(ۉnFة��,�{ �QIb�FC�8utvQѪ
V�7"60^Yw�SR�l@�sxS
a�
\nսv��E=b농tE]�khT[_�!**S�
�%/�ߩ�n^泌]e�c�X#.�7I;s�[__9V0�|6,�cz��#ɾ1��af+1űW�u|�g)d̅Ada��'Z-*?҂o/R\�F$0(�y��lHb9��=a,����'lu�K�K*t�f0 '�Ɣ
ϰ"�� sOeO�xDh\�"?X9<1�Ut,�jWx�/{c|>[z0�pjPŌP�9/wZ��0��
��9\\Ohc{pff�#3�G���τ �ix�z�X��#`*F"�TZ*bJ�ى�[qpR.C795I(>eSa#'@n0\|�d9[\Oڅ�4�c�\j�K^�೨B�//bA-R*r*
_x�D4�Nb� Ӟ�_yr����W���<�aep�?i-ݍW0�,w5ȟ7#�RI>Pl��v�2h,=Q$DM� $zf}u�C?%ȕ/�5F#x�oU��AtM�{'14�n�2�HZ�\ɡ\�vᷮ�g۲ͼ1R�>I\J�BS+$Ĥ�{mh6
<ͤDa|ά�=̭q/4a-d4džI�lck�jy�^tp���
|
Network Security & Hardware 
