RE: EV hack from michael.mccormick@wellsfargo.com on 2009-05-20 (public-wsc-wg@w3.org from May 2009)

From: <michael.mccormick@wellsfargo.com>
Date: Wed, 20 May 2009 12:34:47 -0500
To: <tlr@w3.org>, <ifette@google.com>
CC: <public-wsc-wg@w3.org>
Message-ID: <A584B538788BFA42A9971BBA4801CCF84154CC9EB1@MSGCMSV21021.ent.wfb.bank.corp>

Thanks Thomas.

For what it’s worth, I agree with Opera’s position on this issue as stated by Yngve on his blog.  The compromise position that WSC ultimately took in Oslo is disappointing.  I’m glad Opera still gives me the option to configure a stronger EV policy than what WSC recommends.

Purists can debate about “EV or nothing” but I take a pragmatic view.  Attackers are hijacking EV pages while spoofing the agent’s EV/AA indicator, and the reason these attacks work is because the EV indicator only reflects the top level document.  These attacks severely undermine EV and degrade the trustworthiness of the EV/AA indicator.

Mike

From: Thomas Roessler [mailto:tlr@w3.org]
Sent: Wednesday, May 20, 2009 5:46 AM
To: ifette@google.com
Cc: McCormick, Mike; public-wsc-wg@w3.org
Subject: Re: EV hack

On 20 May 2009, at 01:16, Ian Fette (イアンフェッティ) wrote:


We discussed this at length in the f2f (Oslo?).

Oslo indeed.  See Yngve's notes at the time:
  http://my.opera.com/yngve/blog/2008/05/23/lowering-the-ev-bar




I strongly oppose changing this. If DV is not relaible for DV then it needs to be fixed. I for one am not ready to say it's EV or nothing.
2009/5/19 <michael.mccormick@wellsfargo.com<mailto:michael.mccormick@wellsfargo.com>>
Friends,

Many of you are no doubt aware of green bar spoofing attacks against EV SSL indicators like this one:
http://www.theregister.co.uk/2009/03/28/ev_ssl_spoofing/


Agents could prevent this in most cases by requiring all displayed content to be AA secured (not just top level document) before displaying the AA indicator.  In private discussions with Wells, one browser manufacturer has already agreed to do exactly this in a future release.

Section 5.3 of WSC-UI (current working draft) says:

A Web User Agent that can display an AA indicator MUST NOT display this indicator unless all elements of the page are loaded from servers presenting a validated certificate, over strongly TLS-protected interactions.

This helps mitigate the spoof risk, but I urge you to add a statement such as:

A Web User Agent that can display an AA indicator SHOULD NOT display this indicator unless all elements of the page are loaded from servers presenting an Augmented Assurance Certificate (AAC) over strongly TLS-protected interactions.

Regards, Mike

Michael McCormick, CISSP
Lead Architect
Strategic Information Security Architecture
Wells Fargo Bank
“THESE OPINIONS ARE STRICTLY MY OWN AND NOT NECESSARILY THOSE OF WELLS FARGO"
This message may contain confidential and/or privileged information.  If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein.  If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message.  Thank you for your cooperation.

Received on Wednesday, 20 May 2009 17:35:46 UTC