> Not to intentionally pick on PayPal — sorry, Brad :) — but the attack works > because of explicit cross-origin script inclusion. The first demo of this > attack I > saw was by Sotirov and Zusman at CanSecWest some years ago. In the attack > demo, EV paypal.com includes (included) script from non-EV > paypalobjects.com. If you distinguish EV paypal.com and non-EV paypal.com > as distinct origins, it doesn't help anything if either origin explicitly > includes > script from any other origin (of any security level).
[Hill, Brad] No apology needed. https://www.paypalobjects.com/ is using an EV certificate now, BTW, but I'm quite sure if you looked you could find non-EV content that's being transcluded somewhere. (though hopefully not script src) I think that's important to consider about LockEV - PayPal is one of the sites most ready for and most pervasively EV, and it would not be prepared today to have a mixed-content policy enforced for EV/DV. It would take a lot of work and a great deal of expense to achieve this, and not just for PayPal. Consider how many sites use off-origin analytics, ads, CDNs, etc. The CDN cost also goes way up because EV certificates cannot include multiple logical subjects and XP, Android 2.x and other legacy OSs still prevent SNI from being widely used, so you need to pay for an exclusive IP address from the CDN, in addition to the cost of the EV cert itself. Mixed-content blocking could very conceivably decrease the usage of EV certs dramatically. _______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
