Kyle Hamilton wrote: > On Thu, Aug 21, 2008 at 10:24 AM, Nelson B Bolyard <[EMAIL PROTECTED]> wrote: >> I was informed privately that it means that Firefox shows EV chrome >> indicators, even for pages that contain some DV content. > > Er, if this didn't happen, PayPal wouldn't be able to show chrome > indicators. Among other things, they use Google Analytics. I think > it would be a perfectly valid thing to refuse to form-submit to a > location that isn't under the same EV Subject as the originating form, > but if you strip the chrome from things that have some non-EV services > you're going to break things.
That is not good enough. As long as it is possible to spoof DNS, it is possible to get DV certificate for any domain. Once the attackers have a DV certificate, they can inject their code into a page that is loading mixed (EV + DV) content. That code can then use various methods to transmit the information the user has entered on the page (for example creating an img element whose src URL contains the data to transmit to the DV site under attacker's control). -- Heikki Toivonen - http://heikkitoivonen.net _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
