RE: EV hack from Mary Ellen Zurko on 2009-05-22 (public-wsc-wg@w3.org from May 2009)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Fri, 22 May 2009 07:29:48 -0400
To: "<michael.mccormick" <michael.mccormick@wellsfargo.com>
Cc: ifette@google.com,public-wsc-wg@w3.org,tlr@w3.org
Message-ID: <OF7EF8F0AF.796D1AF0-ON852575BE.003F61D7-852575BE.003F8AF9@LocalDomain>

Hi Mike,

The issue will not be reopened. It was decided by WG consensus process. 

        Mez

From:   <michael.mccormick@wellsfargo.com>
To:     <tlr@w3.org>, <ifette@google.com>
Cc:     <public-wsc-wg@w3.org>
Date:   05/20/2009 01:36 PM
Subject:        RE: EV hack
Sent by:        public-wsc-wg-request@w3.org

Thanks Thomas.  

For what it?s worth, I agree with Opera?s position on this issue as stated 
by Yngve on his blog.  The compromise position that WSC ultimately took in 
Oslo is disappointing.  I?m glad Opera still gives me the option to 
configure a stronger EV policy than what WSC recommends.

Purists can debate about ?EV or nothing? but I take a pragmatic view.  
Attackers are hijacking EV pages while spoofing the agent?s EV/AA 
indicator, and the reason these attacks work is because the EV indicator 
only reflects the top level document.  These attacks severely undermine EV 
and degrade the trustworthiness of the EV/AA indicator.

Mike

From: Thomas Roessler [mailto:tlr@w3.org] 
Sent: Wednesday, May 20, 2009 5:46 AM
To: ifette@google.com
Cc: McCormick, Mike; public-wsc-wg@w3.org
Subject: Re: EV hack

On 20 May 2009, at 01:16, Ian Fette (イアンフェッティ) wrote:

We discussed this at length in the f2f (Oslo?). 

Oslo indeed.  See Yngve's notes at the time:
  http://my.opera.com/yngve/blog/2008/05/23/lowering-the-ev-bar

I strongly oppose changing this. If DV is not relaible for DV then it 
needs to be fixed. I for one am not ready to say it's EV or nothing.
2009/5/19 <michael.mccormick@wellsfargo.com>
Friends,

Many of you are no doubt aware of green bar spoofing attacks against EV 
SSL indicators like this one:
http://www.theregister.co.uk/2009/03/28/ev_ssl_spoofing/

Agents could prevent this in most cases by requiring all displayed content 
to be AA secured (not just top level document) before displaying the AA 
indicator.  In private discussions with Wells, one browser manufacturer 
has already agreed to do exactly this in a future release.

Section 5.3 of WSC-UI (current working draft) says: 

A Web User Agent that can display an AA indicator MUST NOT display this 
indicator unless all elements of the page are loaded from servers 
presenting a validated certificate, over strongly TLS-protected 
interactions.

This helps mitigate the spoof risk, but I urge you to add a statement such 
as: 

A Web User Agent that can display an AA indicator SHOULD NOT display this 
indicator unless all elements of the page are loaded from servers 
presenting an Augmented Assurance Certificate (AAC) over strongly 
TLS-protected interactions.

Regards, Mike

Michael McCormick, CISSP 
Lead Architect
Strategic Information Security Architecture
Wells Fargo Bank 
?THESE OPINIONS ARE STRICTLY MY OWN AND NOT NECESSARILY THOSE OF WELLS 
FARGO" 
This message may contain confidential and/or privileged information.  If 
you are not the addressee or authorized to receive this for the addressee, 
you must not use, copy, disclose, or take any action based on this message 
or any information herein.  If you have received this message in error, 
please advise the sender immediately by reply e-mail and delete this 
message.  Thank you for your cooperation.

Received on Friday, 22 May 2009 11:34:55 UTC