Re: SSL EV Certificates

[David Howe <DaveHowe.Pentest () googlemail com>]

pand0ra wrote:
> I was wondering what everyone thought of the EV (Extended Validation)
> certificates. Verisign has a document that says the EV certs do not do
> code/content signing though the regular class 3 certificates do. Is
> this a issue to worry about? I know there is a issue out there that
> compromises the browser and can fake the green bar that makes the EV
> cert feel safe. Aside from that I would like to know if it is a worthy
> investment in security or a marketing ploy. What are your thoughts?

Its a marketing ploy.  There were EV certificates issued to "wrong"
people within weeks of its public launch - when it comes right down to
it, all EV promises is to do the checks that they always claimed they
were doing (and certainly were charging for) for certificates
already.... Many CAs will also insist you are a registered company to
get an  EV (which makes some of the failures interesting too) so it
isn't available to everyone anyhow.

However, its a *successful* marketing ploy. For as long as there is
end-user perception that "only green-bar sites are safe" then you could
well find that you will have to pay the danegild for it, even though in
real terms it is no more valid than certificates ever were.

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------