EV SSL and XSS: Mixing apples and oranges

Share this article:
EV SSL and XSS: Mixing apples and oranges
EV SSL and XSS: Mixing apples and oranges
When individuals lack an understanding of the specifics of a technology, it is very easy to make inaccurate conclusions on how any two technologies are related -- if they are related at all.

One example is the recent misinterpretation of the impact of cross-site scripting (XSS) on websites protected by Extended Validation (EV) Secure Sockets Layer (SSL) Certificates. The industry discussion on this topic demonstrates a misunderstanding of the vulnerabilities EV SSL Certificates are designed to address and the vulnerabilities XSS exploits.

Apples and oranges
When someone using Internet Explorer 7 or the latest beta version of Firefox 3 logs on to a website protected by EV SSL Certificates, the browser registers the certificate and lights the URL bar green while providing information on the legitimate owner of the website. This "green bar" means that a trusted third party security firm has researched and verified the ownership of the website. In this way, EV SSL provides the industry an important weapon for protecting consumers when they go to fraudulent websites whose identities are not known.

The XSS threat is a result of hackers infiltrating websites and implanting malicious code that can be used for a variety of criminal activities. While it is true that a website validated by EV SSL could be compromised in this way, the XSS threat is a function of weaknesses in the website owner's security policies, such as poorly secured third-party banner ads. XSS is not a function of the failure to effectively validate a website's ownership.

Suggesting a relationship between the orthogonal online security issues of EV SSL and XSS threats is similar to asking why bullet-proof vests don't protect a soldier's leg. They don't, but no one would send a solider into battle without that vest.

In the interest of the consumer
When the CA/Browser Forum developed the EV SSL guidelines, the objective was to standardize highly reliable procedures for verifying the identity of website owners. A voluntary industry organization of certificate authorities and internet browser vendors, the CA/B Forum sought to empower consumers with the unique ability to decide whether they trust a particular business to be safe for their business.

It has never been asserted that EV SSL Certificates would lock all the "doors" of online businesses or guarantee that websites will be coded appropriately to prevent online security vulnerabilities.

For sites that have suffered XSS or other security breaches, the "green bar" shows who is unambiguously responsible for the security problems on the website. And by definitively identifying the business operating the site, visitors become increasingly enabled to make judgments about which businesses they believe will get online security right and which they do not. Finally, the EV guidelines include policing measures that enable certificate authorities to quickly revoke "improperly issued or misused certificates" from rogue or otherwise compromised sites.

As in so many things in life, there is no silver bullet solution to an ever-evolving problem like online security. Online businesses must be vigilant in protecting themselves and their customers from phishing, XSS and various other threats.

But conscientious and responsible IT managers should see through the confusion over the distinctly different security paradigms. Apples and oranges comparisons are a disservice to the industry and users, not the least of whom are the 100 million consumers who can view the EV SSL "green bar" today. Instead we all can focus on protecting customers comprehensively by operating websites that are not vulnerable to XSS attacks and that also offer state-of-the-art SSL to ensure visitors' peace of mind.

Share this article:

Sign up to our newsletters

More in Opinions

Unfair competition: Proactive preemption can save you from litigation

Unfair competition: Proactive preemption can save you ...

With each job change, the risk that the new hire will bring confidential information or trade secrets with him or her to the new company grows.

Hackers only need to get it right once, we need to get it right every time

Hackers only need to get it right once, ...

Hackers only need to find one weak point to steal valuable information. On the flip side, security pros need to account for every possible scenario.

Successful strategies for continuous response

Successful strategies for continuous response

While it isn't realistic for organizations to expect that it will never happen to them, a rapid, professional and continuous response can limit their scope and reputational impact.