EV SSL and XSS: Mixing apples and oranges

Share this article:
EV SSL and XSS: Mixing apples and oranges
EV SSL and XSS: Mixing apples and oranges
When individuals lack an understanding of the specifics of a technology, it is very easy to make inaccurate conclusions on how any two technologies are related -- if they are related at all.

One example is the recent misinterpretation of the impact of cross-site scripting (XSS) on websites protected by Extended Validation (EV) Secure Sockets Layer (SSL) Certificates. The industry discussion on this topic demonstrates a misunderstanding of the vulnerabilities EV SSL Certificates are designed to address and the vulnerabilities XSS exploits.

Apples and oranges
When someone using Internet Explorer 7 or the latest beta version of Firefox 3 logs on to a website protected by EV SSL Certificates, the browser registers the certificate and lights the URL bar green while providing information on the legitimate owner of the website. This "green bar" means that a trusted third party security firm has researched and verified the ownership of the website. In this way, EV SSL provides the industry an important weapon for protecting consumers when they go to fraudulent websites whose identities are not known.

The XSS threat is a result of hackers infiltrating websites and implanting malicious code that can be used for a variety of criminal activities. While it is true that a website validated by EV SSL could be compromised in this way, the XSS threat is a function of weaknesses in the website owner's security policies, such as poorly secured third-party banner ads. XSS is not a function of the failure to effectively validate a website's ownership.

Suggesting a relationship between the orthogonal online security issues of EV SSL and XSS threats is similar to asking why bullet-proof vests don't protect a soldier's leg. They don't, but no one would send a solider into battle without that vest.

In the interest of the consumer
When the CA/Browser Forum developed the EV SSL guidelines, the objective was to standardize highly reliable procedures for verifying the identity of website owners. A voluntary industry organization of certificate authorities and internet browser vendors, the CA/B Forum sought to empower consumers with the unique ability to decide whether they trust a particular business to be safe for their business.

It has never been asserted that EV SSL Certificates would lock all the "doors" of online businesses or guarantee that websites will be coded appropriately to prevent online security vulnerabilities.

For sites that have suffered XSS or other security breaches, the "green bar" shows who is unambiguously responsible for the security problems on the website. And by definitively identifying the business operating the site, visitors become increasingly enabled to make judgments about which businesses they believe will get online security right and which they do not. Finally, the EV guidelines include policing measures that enable certificate authorities to quickly revoke "improperly issued or misused certificates" from rogue or otherwise compromised sites.

As in so many things in life, there is no silver bullet solution to an ever-evolving problem like online security. Online businesses must be vigilant in protecting themselves and their customers from phishing, XSS and various other threats.

But conscientious and responsible IT managers should see through the confusion over the distinctly different security paradigms. Apples and oranges comparisons are a disservice to the industry and users, not the least of whom are the 100 million consumers who can view the EV SSL "green bar" today. Instead we all can focus on protecting customers comprehensively by operating websites that are not vulnerable to XSS attacks and that also offer state-of-the-art SSL to ensure visitors' peace of mind.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in Opinions

Heartbleed, Shellshock and POODLE: The sky is not falling

Heartbleed, Shellshock and POODLE: The sky is not ...

While it may seem like 2014 is the year of the vulnerability, in reality, this year has not been much different than years past.

Technology alone isn't going to secure IoT connected devices

Technology alone isn't going to secure IoT connected ...

It's clear that vulnerabilities continue to exist, despite our best efforts to combat them. In fact, we have addressed many of the same problems before.

DDoS is the new spam...and it's everyone's problem now

DDoS is the new spam...and it's everyone's problem ...

As new solutions emerge, it's critical for organizations to protect themselves by being informed, aware, and acting whenever possible. Those that don't take action are playing a very dangerous game.