EV SSL and XSS: Mixing apples and oranges
One example is the recent misinterpretation of the impact of cross-site scripting (XSS) on websites protected by Extended Validation (EV) Secure Sockets Layer (SSL) Certificates. The industry discussion on this topic demonstrates a misunderstanding of the vulnerabilities EV SSL Certificates are designed to address and the vulnerabilities XSS exploits.
Apples and oranges
When someone using Internet Explorer 7 or the latest beta version of Firefox 3 logs on to a website protected by EV SSL Certificates, the browser registers the certificate and lights the URL bar green while providing information on the legitimate owner of the website. This "green bar" means that a trusted third party security firm has researched and verified the ownership of the website. In this way, EV SSL provides the industry an important weapon for protecting consumers when they go to fraudulent websites whose identities are not known.
The XSS threat is a result of hackers infiltrating websites and implanting malicious code that can be used for a variety of criminal activities. While it is true that a website validated by EV SSL could be compromised in this way, the XSS threat is a function of weaknesses in the website owner's security policies, such as poorly secured third-party banner ads. XSS is not a function of the failure to effectively validate a website's ownership.
Suggesting a relationship between the orthogonal online security issues of EV SSL and XSS threats is similar to asking why bullet-proof vests don't protect a soldier's leg. They don't, but no one would send a solider into battle without that vest.
In the interest of the consumer
When the CA/Browser Forum developed the EV SSL guidelines, the objective was to standardize highly reliable procedures for verifying the identity of website owners. A voluntary industry organization of certificate authorities and internet browser vendors, the CA/B Forum sought to empower consumers with the unique ability to decide whether they trust a particular business to be safe for their business.
It has never been asserted that EV SSL Certificates would lock all the "doors" of online businesses or guarantee that websites will be coded appropriately to prevent online security vulnerabilities.
For sites that have suffered XSS or other security breaches, the "green bar" shows who is unambiguously responsible for the security problems on the website. And by definitively identifying the business operating the site, visitors become increasingly enabled to make judgments about which businesses they believe will get online security right and which they do not. Finally, the EV guidelines include policing measures that enable certificate authorities to quickly revoke "improperly issued or misused certificates" from rogue or otherwise compromised sites.
As in so many things in life, there is no silver bullet solution to an ever-evolving problem like online security. Online businesses must be vigilant in protecting themselves and their customers from phishing, XSS and various other threats.
But conscientious and responsible IT managers should see through the confusion over the distinctly different security paradigms. Apples and oranges comparisons are a disservice to the industry and users, not the least of whom are the 100 million consumers who can view the EV SSL "green bar" today. Instead we all can focus on protecting customers comprehensively by operating websites that are not vulnerable to XSS attacks and that also offer state-of-the-art SSL to ensure visitors' peace of mind.