Kyle Hamilton wrote, On 2008-08-21 14:31: > On Thu, Aug 21, 2008 at 10:24 AM, Nelson B Bolyard <[EMAIL PROTECTED]> wrote: >> I was informed privately that it means that Firefox shows EV chrome >> indicators, even for pages that contain some DV content. > > Er, if this didn't happen, PayPal wouldn't be able to show chrome > indicators. Among other things, they use Google Analytics. I think > it would be a perfectly valid thing to refuse to form-submit to a > location that isn't under the same EV Subject as the originating form, > but if you strip the chrome from things that have some non-EV services > you're going to break things.
It's not uncommon for Mozilla to change things to fix security vulnerabilities, and then discover that there were sites that depended on those vulnerabilities (often unwittingly). It's not tragic. I wouldn't lose any sleep if Google Analytics had to get an EV cert. Same for all those companies whose business is to track everything I do. They can afford it. :) >>>> And further vulnerabilities of this sort would reopen the same hole. >>>> >>>> In other words, the security of EV currently depends on the security of >>>> the DNS. This is bad. >> I agree that DV content in EV pages is just as dubious as any other DV >> content. I would favor that EV pages must have all EV content to show EV >> chrome, just as SSL pages must have all SSL content to show (normal) SSL >> chrome. > > Even in the case where you require all-EV content, if you try to > perform any additional matching of the Subject (which is what needs to > be matched anyway) you're going to break third-party data feeds and > services. Yeah, it's just not clear to me what legitimate role third party feeds have in an EV web page. In an http page, sure. In an EV https page? When the site is trying to say "You can be really sure you're dealing with me here", what role do third parties have in that? I don't think the EV message should be "You can be sure you're dealing with me on this page, except for that part down there, and that corner up there, where I let others have their way with your browser." > For example, in the aforementioned case, even if Google were EV'd, what > would the chrome look like? Whose name would be on it? Good questions. You can be sure that the answers won't come from any of the NSS or PSM folks. All that UI is done in much higher levels of the browser. And if that level of paranoia exists, I don't think it's paranoia. Not after reading http://crypto.stanford.edu/websec/origins/fgo.pdf > why isn't there a preference to disable non-EV content and/or EV content > where the Subject on the cert doesn't match the initial request to the EV > site? That's another good question for Firefox's UI royalty. That's all outside of NSS and PSM. PSM presents the information about "channels" to the higher levels of Firefox, which then make decisions based on it, and/or present that info to the user. The folks responsible for that code are rarely (if ever) seen in this list/group. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
