A customer asked this question, and I couldn't answer it. Let's say I'm a hacker with access to a public kiosk, and I want users of that kiosk to see the EV green toolbar when they use the kiosk to visit my hacked web site. My web site is configured with an SSL cert signed by my own root.
I access the mozilla source code and use it to build my own version of Firefox. In that version, I add my root with the EV metadata. I suppose I'll also need to set up an OCSP responder to respond to Firefox's OCSP requests for my SSL cert, or just disable that check in my custom Firefox. I then install that version of Firefox on the kiosk. Now anyone using the kiosk to visit my web site will see the green toolbar. Are there any safeguards in place to prevent this hack from succeeding? -Rick Andrews -- Rick Andrews __o Phone: 650-426-3401 VeriSign, Inc. _ \>,_ Fax: 650-426-5195 487 E. Middlefield Rd. ...(_)/ (_) URL: www.verisign.com Mountain View, CA 94043 email: randr...@verisign.com -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
