On Mon, Aug 13, 2012 at 10:58 AM, Hill, Brad <bh...@paypal-inc.com> wrote: > There are, of course, non-browser HTTP clients that may respect HSTS, but EV > certificates in particular are aimed at a browser audience as it is about > user trust indicators. > > EV is *not* a security boundary in browsers, however. It is a brand > awareness and consumer trust product. > > I am not aware of any user agents that treat EV and non-EV content as having > different effective security principals for purposes of the Same Origin > Policy. So, although it is more difficult to get an EV certificate than a DV > one, that does not provide any effective security against a MITM attacker who > can obtain a DV certificate. Such an attacker can always act as a partial > MITM and provide, using a DV certificate, trojan script content in an iframe > with no security indicators or substitute an external script in a legitimate > page and that script will have full access to content delivered with an EV > certificate. > > I would posit that means a feature like LockEV has little to no practical > value unless and until (not likely) Web user agents provide origin isolation > between EV and non-EV content.
Quite the opposite, you just made the argument in favor of LockEV. If LockEV is being used, the MITM attack with a DV certificate would no longer be possible, because the DV certificate would not be accepted by the browser. Collin _______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec