On Apr 13, 2012, at 6:25 AM, Henri Sivonen wrote: > On Wed, Apr 11, 2012 at 10:54 AM, Jesse Ruderman <[email protected]> wrote: >> A wifi MITM attacker can steal all the passwords you have saved on >> http sites, by sending you to fake versions of each site and watching >> what the browser fills into the form. > > Last I had the misfortune to be able to check, Firefox was happy to > perform autofill on a non-EV-https site using passwords remembered > when the site used EV-https. Thus, EV doesn't protect against advanced > advanced MITM that can fake non-EV certs. (Dunno how important this > concern is. That is, I don't know how realistic it is for a MITM to > gain the capability to fake non-EV certificates but not to gain the > capability to fake EV certificates.)
The better solution to that problem might be: https://wiki.mozilla.org/Security/Features/CA_pinning_functionality Lucas. _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
