Eddy Nigg (StartCom Ltd.) wrote:
1.) Are Google AdWords secured by SSL to start with?
I presume this option is available; otherwise SSL sites couldn't use
them without getting mixed content errors.
Hmm... unless they are totally JS-driven. I don't know how they work for
certain, so that could
Eddy Nigg (StartCom Ltd.) wrote:
From the site operator perspective I don't see any reason why a site
shouldn't be served by the same certificate (or same level).
Syndicated advertising?
Gerv
___
dev-security mailing list
Gervase Markham wrote:
I was giving the example of e.g. Google AdWords, where content on your
site is served from a 3rd-party site. So not all of the site can be
served by the same certificate. Parts will be your certificate, and
parts will be Google's.
OK...understand...Your example
Justin Dolske wrote:
That doesn't seem all too different from a vanilla-SSL site having an
XSS hole.
Mhhh...if the site contains unencrypted content, then the browser
notices it. If the parts are served by a different site (and
certificate) there is no notice. However the issue here is
Gervase Markham wrote:
Right. But allowing this makes it possible for the identity presented to
not be the identity of the owner of the content.
Correct!
That might actually lead to the idea that we should require that all the
content comes from the same company (O field). But that
Justin Dolske wrote:
What problem would doing this address?
I agree that mixing SSL and non-SSL is something the user might be
concerned about, but I'm not sure I see a reason for wanting to know if
EV-SSL and vanilla-SSL is being mixed.
One thought: because Firefox does not warn you if
Gervase Markham wrote:
What problem would doing this address?
I agree that mixing SSL and non-SSL is something the user might be
concerned about, but I'm not sure I see a reason for wanting to know
if EV-SSL and vanilla-SSL is being mixed.
One thought: because Firefox does not warn you
Lets suppose a web hosting company acquires an EV cert and provides for
its clients some nifty re-write rule to let appear the site as EV
verified, but the actual content is served in a iframe - from the
clients regular SSL secured site. Which answer would you propose to your
question below?