EV SSL and XSS: Mixing apples and oranges

Share this article:
EV SSL and XSS: Mixing apples and oranges
EV SSL and XSS: Mixing apples and oranges
When individuals lack an understanding of the specifics of a technology, it is very easy to make inaccurate conclusions on how any two technologies are related -- if they are related at all.

One example is the recent misinterpretation of the impact of cross-site scripting (XSS) on websites protected by Extended Validation (EV) Secure Sockets Layer (SSL) Certificates. The industry discussion on this topic demonstrates a misunderstanding of the vulnerabilities EV SSL Certificates are designed to address and the vulnerabilities XSS exploits.

Apples and oranges
When someone using Internet Explorer 7 or the latest beta version of Firefox 3 logs on to a website protected by EV SSL Certificates, the browser registers the certificate and lights the URL bar green while providing information on the legitimate owner of the website. This "green bar" means that a trusted third party security firm has researched and verified the ownership of the website. In this way, EV SSL provides the industry an important weapon for protecting consumers when they go to fraudulent websites whose identities are not known.

The XSS threat is a result of hackers infiltrating websites and implanting malicious code that can be used for a variety of criminal activities. While it is true that a website validated by EV SSL could be compromised in this way, the XSS threat is a function of weaknesses in the website owner's security policies, such as poorly secured third-party banner ads. XSS is not a function of the failure to effectively validate a website's ownership.

Suggesting a relationship between the orthogonal online security issues of EV SSL and XSS threats is similar to asking why bullet-proof vests don't protect a soldier's leg. They don't, but no one would send a solider into battle without that vest.

In the interest of the consumer
When the CA/Browser Forum developed the EV SSL guidelines, the objective was to standardize highly reliable procedures for verifying the identity of website owners. A voluntary industry organization of certificate authorities and internet browser vendors, the CA/B Forum sought to empower consumers with the unique ability to decide whether they trust a particular business to be safe for their business.

It has never been asserted that EV SSL Certificates would lock all the "doors" of online businesses or guarantee that websites will be coded appropriately to prevent online security vulnerabilities.

For sites that have suffered XSS or other security breaches, the "green bar" shows who is unambiguously responsible for the security problems on the website. And by definitively identifying the business operating the site, visitors become increasingly enabled to make judgments about which businesses they believe will get online security right and which they do not. Finally, the EV guidelines include policing measures that enable certificate authorities to quickly revoke "improperly issued or misused certificates" from rogue or otherwise compromised sites.

As in so many things in life, there is no silver bullet solution to an ever-evolving problem like online security. Online businesses must be vigilant in protecting themselves and their customers from phishing, XSS and various other threats.

But conscientious and responsible IT managers should see through the confusion over the distinctly different security paradigms. Apples and oranges comparisons are a disservice to the industry and users, not the least of whom are the 100 million consumers who can view the EV SSL "green bar" today. Instead we all can focus on protecting customers comprehensively by operating websites that are not vulnerable to XSS attacks and that also offer state-of-the-art SSL to ensure visitors' peace of mind.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in Opinions

Beware of the malware walking dead

Beware of the malware walking dead

This Hallows Eve might be a good time to remind ourselves that zombies can be just as deadly, and I'm referring to recycled tools and techniques from years gone by.

Why the Home Depot attack shouldn't have happened

Why the Home Depot attack shouldn't have happened

Major retailers are falling prey to massive credit card information heists, despite spending millions on cyber security systems.

Next-generation malware: Think like the enemy and avoid the car alarm problem

Next-generation malware: Think like the enemy and avoid ...

When it comes to enterprise security, one rule remains constant - attacks will continue to increase in sophistication and attackers will seek to outmaneuver existing defenses.