On Mon, Aug 13, 2012 at 12:21 PM, Collin Jackson <[email protected]> wrote:
> Quite the opposite, you just made the argument in favor of LockEV. If > LockEV is being used, the MITM attack with a DV certificate would no > longer be possible, because the DV certificate would not be accepted > by the browser. Not to intentionally pick on PayPal — sorry, Brad :) — but the attack works because of explicit cross-origin script inclusion. The first demo of this attack I saw was by Sotirov and Zusman at CanSecWest some years ago. In the attack demo, EV paypal.com includes (included) script from non-EV paypalobjects.com. If you distinguish EV paypal.com and non-EV paypal.com as distinct origins, it doesn't help anything if either origin explicitly includes script from any other origin (of any security level). Now, maybe you mean that we would treat EV and non-EV HTTPS mixed scripting content as a new kind of mixed scripting problem, and then have a rule of blocking mixed EV/non-EV scripting by default. We recently changed Chrome to block mixed HTTP/HTTPS mixed scripting by default, and that was "exciting" enough. Maybe someday we can block or warn about mixed EV/non-EV content, but not in the next release, probably... _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
