Penetration Testing mailing list archives
Re: SSL EV Certificates
From: David Howe <DaveHowe.Pentest () googlemail com>
Date: Mon, 24 Aug 2009 14:43:42 +0100
pand0ra wrote:
I was wondering what everyone thought of the EV (Extended Validation) certificates. Verisign has a document that says the EV certs do not do code/content signing though the regular class 3 certificates do. Is this a issue to worry about? I know there is a issue out there that compromises the browser and can fake the green bar that makes the EV cert feel safe. Aside from that I would like to know if it is a worthy investment in security or a marketing ploy. What are your thoughts?
Its a marketing ploy. There were EV certificates issued to "wrong" people within weeks of its public launch - when it comes right down to it, all EV promises is to do the checks that they always claimed they were doing (and certainly were charging for) for certificates already.... Many CAs will also insist you are a registered company to get an EV (which makes some of the failures interesting too) so it isn't available to everyone anyhow. However, its a *successful* marketing ploy. For as long as there is end-user perception that "only green-bar sites are safe" then you could well find that you will have to pay the danegild for it, even though in real terms it is no more valid than certificates ever were. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- SSL EV Certificates pand0ra (Aug 21)
- Re: SSL EV Certificates Jan Schejbal (Aug 21)
- Re: SSL EV Certificates David Howe (Aug 24)