- From: <michael.mccormick@wellsfargo.com>
- Date: Tue, 19 May 2009 15:37:01 -0500
- To: <public-wsc-wg@w3.org>
- Message-ID: <A584B538788BFA42A9971BBA4801CCF84154B61DAD@MSGCMSV21021.ent.wfb.bank.corp>
Friends, Many of you are no doubt aware of green bar spoofing attacks against EV SSL indicators like this one: http://www.theregister.co.uk/2009/03/28/ev_ssl_spoofing/ Agents could prevent this in most cases by requiring all displayed content to be AA secured (not just top level document) before displaying the AA indicator. In private discussions with Wells, one browser manufacturer has already agreed to do exactly this in a future release. Section 5.3 of WSC-UI (current working draft) says: A Web User Agent that can display an AA indicator MUST NOT display this indicator unless all elements of the page are loaded from servers presenting a validated certificate, over strongly TLS-protected interactions. This helps mitigate the spoof risk, but I urge you to add a statement such as: A Web User Agent that can display an AA indicator SHOULD NOT display this indicator unless all elements of the page are loaded from servers presenting an Augmented Assurance Certificate (AAC) over strongly TLS-protected interactions. Regards, Mike Michael McCormick, CISSP Lead Architect Strategic Information Security Architecture Wells Fargo Bank "THESE OPINIONS ARE STRICTLY MY OWN AND NOT NECESSARILY THOSE OF WELLS FARGO" This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
Received on Tuesday, 19 May 2009 20:38:56 UTC