Gervase Markham wrote: >> What problem would doing this address? >> >> I agree that mixing SSL and non-SSL is something the user might be >> concerned about, but I'm not sure I see a reason for wanting to know >> if EV-SSL and vanilla-SSL is being mixed. > > One thought: because Firefox does not warn you if the different page > components come from different domains, that means that if there was an > XSS hole in the EV-protected site, a phisher could buy a $25 cert and > make sure their injected content appeared without complaint.
That doesn't seem all too different from a vanilla-SSL site having an XSS hole. I'm not sure how that could be explained to a user in a meaningful way, either. I'd also be wary about building the impression that content served under an EV cert is somehow more trustworthy, when it seems we're taking pains to avoid that rathole and focus on it being a site identity thing. Also, a more practical concern would be that if existing an existing SSL site is already linking to SSL content under a different certificate, then upgrading to an EV cert would break that. That might just be education issue for purchasers of EV certs, though. Justin _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
