Penetration Testing mailing list archives
Re: SSL EV Certificates
From: Jan Schejbal <jan.mailinglisten () googlemail com>
Date: Sat, 22 Aug 2009 01:43:19 +0200
Am 19.08.2009 22:47, schrieb pand0ra:
Aside from that I would like to know if it is a worthy investment in security or a marketing ploy.
both. EV mandates additional security (like not using MD5), which is good. Verifying the company name and displaying it prominently is good, as long as it is guaranteed that a phisher won't get a cert for *his* phishing domain with the company name of the bank.
Of course the CAs make loads of additional money from it, but I think the security enhancement for the general user is worth that. Of course only for high-risk sites like banking, it does not make sense for a discussion forum login page IMO.
You can get a similar result as with code signing if you only download code (updates etc.) via EV-certified SSL connections. AFAIK Mozilla does this, updates either need to be SSL-secured OR signed.
Gruß Jan -- ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review BoardProve to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- SSL EV Certificates pand0ra (Aug 21)
- Re: SSL EV Certificates Jan Schejbal (Aug 21)
- Re: SSL EV Certificates David Howe (Aug 24)