Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SSL EV Certificates

From: Jan Schejbal <jan.mailinglisten () googlemail com>
Date: Sat, 22 Aug 2009 01:43:19 +0200
Am 19.08.2009 22:47, schrieb pand0ra:

Aside from that I would like to know if it is a worthy
investment in security or a marketing ploy.
both. EV mandates additional security (like not using MD5), which is good. Verifying the company name and displaying it prominently is good, as long as it is guaranteed that a phisher won't get a cert for *his* phishing domain with the company name of the bank.
Of course the CAs make loads of additional money from it, but I think the security enhancement for the general user is worth that. Of course only for high-risk sites like banking, it does not make sense for a discussion forum login page IMO.
You can get a similar result as with code signing if you only download code (updates etc.) via EV-certified SSL connections. AFAIK Mozilla does this, updates either need to be SSL-secured OR signed. 

Gruß
Jan

--

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. 
http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: