Where's My Green Bar?

EV SSL doesn't mean the same thing on all browsers. Who has the best approach?

I'm a fan of EV SSL. Like a lot of security technologies, it's far from being a silver bullet, but it's helpful. It's also, perhaps, harder to implement than it may at first seem.

EV SSL is short for Extended Validation Secure Sockets Layer, and refers to a special class of x.509 digital certificate particularly for Web servers. It was developed by an industry consortium called the CA/Browser Forum, which is made up of certificate authorities and browser vendors (notably, not including Apple).

One part of EV SSL that makes it both more authoritative as a certificate and more expensive as a product is that there are detailed and strict requirements in the specification (PDF) for how certification authorities verify the applicants for a certificate. The spec is full of checks that the CA "MUST" perform.

The other part of EV SSL is that it mandates a change in browser behavior: The browser address bar turns green when viewing an EV SSL site, and there are other guidelines for making the certificate holder's name more prominent. With earlier browsers and certificates, actually checking the cert holder's name could be quite a convoluted process.

So what does it mean when the browser address bar turns green? Under the EV SSL rules, it means that the top-level document is signed by an EV SSL certificate signed by a trusted certificate authority, the biggest of which is VeriSign.

But the top-level document isn't all there is to a Web page. Pages from the sorts of big commercial entities that would buy EV certificates are often composed of elements from numerous domains, and the EV spec does not require that all of them have EV certificates. For instance, use Internet Explorer 7 or Firefox 3 (still pre-release) to look at the home page of PayPal. PayPal is the poster child for EV SSL, and it has decided to do everything it can to protect its brand and identity. But it hasn't got there yet.

The top-level document and some key elements, like the main PayPal logo, have EV certs. But other elements on the page, such as this graphic, do not. Browse the first one and you get a green bar; browse the second one and you don't.

What are the implications? It makes cross-site scripting attacks more serious, because the user will still see the green bar even though portions of the page are from a different site unprotected by the EV certificate. I don't want to overstate the danger of cross-site scripting, but neither do I want to understate it. Some very famous, important sites have experienced cross-site scripting attacks. They are difficult to eliminate because it requires consistent, good programming practices. You can't just plug in a security product to take them away.

This problem will start to become a little more pronounced soon, when users start using the next generations of the Firefox and Opera browsers. Both support EV SSL and will thus increase the awareness of SSL. (Apple appears to have no plans for EV SSL support in Safari.) One difference about them, as opposed to IE 7, is that they do not turn the whole address bar green, but just a small portion of it; I have to say I prefer the IE approach, but it's a little early to say one is right and the other wrong.

But Opera goes one major step further than the other two browsers: It does not turn the address bar green unless all the elements on the page have EV SSL certificates. The following sites all show green bars in IE 7, but not in Opera 9.5 (Beta 2):

There are sites that make Opera go green, though, including these:

For the most part, the sites that go green in Opera are simple ones and not high-profile, the Deutsche Bank site being an obvious exception. Still, it's sobering.

I'm always leery of making the perfect the enemy of the good. I wish that more browsers were stricter about EV SSL, or at least offered a strict mode. But that doesn't mean that EV SSL is not a useful thing. It is, and the sorts of sites that might be phished really should adopt it. A good plan for adoption of EV SSL would also include a concerted effort to remove the sorts of vulnerabilities that could diminish its value.

Security CenterEditor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.