If this is the case, then I have to say that this entire discussion is outside the realm of this list and should instead be moved to the security list.
-Kyle H On Thu, Aug 21, 2008 at 9:32 PM, Nelson B Bolyard <[EMAIL PROTECTED]> wrote: > Kyle Hamilton wrote, On 2008-08-21 14:31: >> On Thu, Aug 21, 2008 at 10:24 AM, Nelson B Bolyard <[EMAIL PROTECTED]> wrote: >>> I was informed privately that it means that Firefox shows EV chrome >>> indicators, even for pages that contain some DV content. >> >> Er, if this didn't happen, PayPal wouldn't be able to show chrome >> indicators. Among other things, they use Google Analytics. I think >> it would be a perfectly valid thing to refuse to form-submit to a >> location that isn't under the same EV Subject as the originating form, >> but if you strip the chrome from things that have some non-EV services >> you're going to break things. > > It's not uncommon for Mozilla to change things to fix security > vulnerabilities, and then discover that there were sites that depended > on those vulnerabilities (often unwittingly). It's not tragic. > > I wouldn't lose any sleep if Google Analytics had to get an EV cert. > Same for all those companies whose business is to track everything I do. > They can afford it. :) > >>>>> And further vulnerabilities of this sort would reopen the same hole. >>>>> >>>>> In other words, the security of EV currently depends on the security of >>>>> the DNS. This is bad. > >>> I agree that DV content in EV pages is just as dubious as any other DV >>> content. I would favor that EV pages must have all EV content to show EV >>> chrome, just as SSL pages must have all SSL content to show (normal) SSL >>> chrome. >> >> Even in the case where you require all-EV content, if you try to >> perform any additional matching of the Subject (which is what needs to >> be matched anyway) you're going to break third-party data feeds and >> services. > > Yeah, it's just not clear to me what legitimate role third party feeds > have in an EV web page. In an http page, sure. In an EV https page? > When the site is trying to say "You can be really sure you're dealing > with me here", what role do third parties have in that? I don't think > the EV message should be "You can be sure you're dealing with me on this > page, except for that part down there, and that corner up there, where I > let others have their way with your browser." > >> For example, in the aforementioned case, even if Google were EV'd, what >> would the chrome look like? Whose name would be on it? > > Good questions. You can be sure that the answers won't come from any > of the NSS or PSM folks. All that UI is done in much higher levels of > the browser. > > And if that level of paranoia exists, > > I don't think it's paranoia. Not after reading > http://crypto.stanford.edu/websec/origins/fgo.pdf > >> why isn't there a preference to disable non-EV content and/or EV content >> where the Subject on the cert doesn't match the initial request to the EV >> site? > > That's another good question for Firefox's UI royalty. That's all outside > of NSS and PSM. PSM presents the information about "channels" to the > higher levels of Firefox, which then make decisions based on it, and/or > present that info to the user. The folks responsible for that code are > rarely (if ever) seen in this list/group. > > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
