On Aug 13, 2012, at 2:09 PM, Collin Jackson wrote: > Brad was describing a network attacker that was able to obtain a DV > certificate (but not an EV certificate) for a target site. The > attacker can "act as a partial MITM and provide, using a DV > certificate, trojan script content in an iframe with no security > indicators or substitute an external script in a legitimate page and > that script will have full access to content delivered with an EV > certificate." This would allow, for example, the attacker to read > cookies and passwords entered into a bank's login form. > > My point is that if the site is using LockEV, the network attacker's > DV certificate is useless, so LockEV is useful even if the browser's > script access checks don't pay attention to the EV/DV distinction.
If the site did LockEV without ever locking its public key or CA, you would be right. That seems like a ridiculous policy, though. LockCA seems much more likely. --Paul Hoffman _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
