« Security Strategies for the Recession | Main | Protecting Information in Hostile Environments »

April 08, 2009

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8341e76b553ef0115700d28fb970b

Listed below are links to weblogs that reference This Green Bar Will Save Your Life!:

Comments

jensentime

I understand the appeal of knocking EV SSL certs, or security technology in general, and I applaud those who are forcing us to acknowledge just how vulnerable we really are. That having been said, however, the point of ANY kind of SSL has always been one thing, and one thing only -- to create a secure connection between two points (and ordinarily those points are exchanging some kind of private data). Can it be bypassed? Yes. Does that mean the secure connection is broken? No. It means that users are being diverted from the secure connection (ie, Man in the Middle attacks), and that requires a different sort of protection entirely separate from SSL (EV or otherwise).

I think it's funny how every attack on EV SSL from black hat folks so far has involved exploiting some other weakness in a website (for example, the CanSecWest DNS hit). Yes, mixed security level sites do present problems, but blaming SSL for them is like blaming Masterlock when a thief gets in through the back (unbolted) door.

I think SSL gets a lot of flack for this because it has a reputation for being THE security solution, even with people who don't know what the acronym stands for. But, again, getting EV SSL protection isn't like placing your website in a gleaming green tank. It simply provides more secure connections between a site and its customers, and the additional vetting process proves to customers that you are you who say you are. Beyond that we're in another area.

Oh, and when you say "More than one person has stated that the green bar really doesn’t matter to users; it’s just a way for CAs to make more money," do you just mean in the UK Register comments? Most of the data I've read has suggested the opposite (re: users noticing the difference and feeling safer), but browsers have been slow to adopt EV...

Trent Henry

@jensentime,

You are right to point out that we should distinguish between weaknesses in SSL itself and other attack vectors. It's really the whole browser ecosystem implicated here, not the SSL protocol or underlying crypto ciphers.

However, I'm reminded of an old adage: if you install a bank vault door at the front of a canvas tent, you don't get kudos for the strong door.

(By the way, I've gathered input from many users critical of EV certs--I used to be in the PKI industry myself. Just last week I had a conversation with a large enterprise IT manager who offered an unsolicited critique.)

jensentime

--However, I'm reminded of an old adage: if you install a bank vault door at the front of a canvas tent, you don't get kudos for the strong door.


True, true, and as I said, I think a lot of folks treat SSL like a solution to everything when truly it needs to be treated like one tool in the bag of e-security tricks. The browser ecosystem, as you eloquently put it, is a rather treacherous one, and both the problems and their solutions are more complex than most realize.


--(By the way, I've gathered input from many users critical of EV certs--I used to be in the PKI industry myself. Just last week I had a conversation with a large enterprise IT manager who offered an unsolicited critique.)


Very interesting! Thanks for clarifying that, as I've not heard the same critiques.

Andy Steingruebl

To be fair here, the recent CanSec talk didn't actually show getting a fake certificate for all sites. It isn't clear this is possible as not all sites allow a user to play the email verification trick.

There are some potential fixes such as a change to browsers to treat EV differently than standard SSL, but I don't think that really solves the problem.

Do you personally have suggestions for fixing this? One option is stricter standards for who is in the trusted-root list in a browser. Do you have other suggestions?

The comments to this entry are closed.

  • Burton Group Free Resources Stay Connected Stay Connected Stay Connected Stay Connected


Blog powered by Typepad