It ain’t EV ’til it’s EV, all EV

In the past couple of weeks I have been sewing up most of the loose threads in Opera's support for Extended Validation (EV) certificates, and have actually started testing something that resembles the final system.

The work to add Extended Validation has been going on for a while, the basic functionality was implemented last year, but there hasn't been time to build the surrounding infrastructure until this year.

Now, we are finally starting to see the end of the road.

However, I have started to notice something that could become a problem: Not all EV sites, such as Verisign's and PayPal's sites, are coded the way I think they should be coded, or the way Opera's EV support need to be able to recognize them as EV sites.

The sites themselves and the content they serve are not the problem. The thirdparty content they have chosen to include on their site is; Content that is NOT served from EV servers. Apparently, MSIE 7 does not take this external content into consideration when deciding to show the EV indication.

One of the most prominent examples of this third-party content is Google Analytics, which is added to a web page by an external Javascript from a non-EV secure server hosted by Google. Since Google's servers are not using EV certificates, Opera's EV support does not consider the site to be an EV site.

This is due to how Opera's security evaluation system works. Each URL loaded is evaluated based on which protocol was used, what kind of encryption, keylengths, and whether or not the certificate validated correctly. All of this is summed up as a Level in the range of 0 to 3 as follows

  • 0: No encryption (example, plain HTTP)
  • 1: Weak encryption (40 and 56 bit symmetric methods), weak keys (less than 900 bits RSA/DH/DSA), certificate errors, authentiction only. Additionally a combination of problems that would result in Level 2 security being displayed if only one of them were encountered.
  • 2: One, and only one, of these: medium strength keys (900-999 bit RSA/DH/DSA) or failure to get a valid OCSP response. A combination of both results in Level 1 being chosen.
  • 3: Only when using 128 bit encryption, 1000 bit or more RSA/DH/DSA keys, no certificate validation problems.

EV is implemented as Level 4 in this ranking, and a Level 3 resource is only escalated to Level 4 if it contains the necessary EV identificator.

For a group of URLs, such as a web page with redirects, images, CSS, scripts, frames, and so on, the URL with the weakest security level determines the security level for the entire document. This means that a web page with a single unencrypted 1-by-1 image gets Level 0, and that an EV website which includes a 1-by-1 image from a Level 3 non-EV site does not get the EV status. The only exception to this rule is that, on certain conditions, the first request may be a HTTP to HTTPS redirect.

The reason for this design is simple:

  • It is difficult, and in most cases impossible, for a web browser to determine how sensitive a particular element of a page is.
  • Some elements can affect the meaning of the site (for example, a big image, a script, or a frame).
  • In some cases, such as unencrypted requests, analyzing that traffic may reveal what the user is working on (for example, evaluating a stock transaction).

One can make the argument that since the page is secure we can assume that the owners of the site know what they are doing, and that any use of less secure resources is intentional and does not represent a security problem. That assumption is wrong. They may know what they are doing, and have no intention of lowering the security level, but they can still make a mistake somewhere. In at least two cases I have seen, misconfiguration of proxies or redirects caused content that was not secure to be included in otherwise secure banking/payment pages. In one of the cases this content was an external JavaScript used in a payment page, and an attacker could have gotten full access to the secure page if he had changed the JavaScript in transit.

With respect to EV one can make the same argument, but it is flawed in this case, too:

  • The primary point of using an EV certificate on a site is to know the identity of the site's owner.
  • The EV site's owner may or may not know who owns a non-EV third-party site, the client has no way of determining that. We do not know, and cannot know, if the agreement is just a click-wrap or the result of months long lawyer negotiations.
  • In several of the observed cases the third-party content was external JavaScript, which means the third-party is essentially granted full access to manipulate the site's content, and all of it.
  • By allowing non-EV third-party content in a EV site it becomes possible to set up EV "redirector" sites that let non-EV sites look like they are using EV by embedding their content in a frame.

Part of the reason for creating Extended Validation certificates was raising the bar for identification on the Internet, so that is what we will do: Raise the bar.

When Opera ships a version with EV, probably in Kestrel, a site will not be considered as having EV unless all resources used in the rendered page are using Extended Validation certificates.

"It ain't EV 'til it's EV, all EV"

17 thoughts on “It ain’t EV ’til it’s EV, all EV”

  1. The EV site’s owner may or may not know who owns a non-EV third-party siteIf they don’t know who owns it or don’t trust the remote site, why on earth are they embedding content from that site? That’s madness whether you are using EV or not.If the owner of Site A wants some content from Site B, which he trusts, he can do one of two things. A) He can copy the content to Site A and serve it from there, or B) he can embed it directly from Site B (using HTTPS of some sort to make sure it actually does come from Site B – all certs guarantee this, not just EV). You are saying that A) is OK but B) is not – but it’s the same content, so that doesn’t make sense to me.

  2. Gerv: The primary point is that the client have no way to tell. Ads is one possible area where the contract partner may be referencing third-party content. The administrator may have opened an account at some “cool” webrelated tool provider, and just clicked through the agreement, added the tool to his pages, and not considered the possible side effects, or checked the provider more closesly.In your case A the site owner assumes a much higher responsibility by serving the content directly, and is vouching for all of it. In case B he is “just” linking to content.

  3. It looks to me as another endless discussion will come: “my IE7 says that my site is secure but Opera says it’s not. Opera sucks…”Who will stay and analyze the problem to see that Opera is correct and IE is not?I just heard of this EV thingie and from the words above it already looks like crap to me, another pointless security measure designed for the n00bs that can’t distinguish between google.com and goggle.com and will happily try to use whichever comes first.

  4. Arthur, the way that discussion end may depend entirely on how the other browsers decide to approach the issue. Perhaps Microsoft decides to change their handling? Time will tell.

  5. Opera is correct in enforcing the rules. I saw some sites where Opera told me to accept a weak certificate etc. while other browsers didn’t have any problem at all with possible problems (default configuration). I like the information Opera is giving me. The whole EV system is based on trust (as the whole PKI is). I wouldn’t trust a ‘secure’ site, if it has unsecure content in it. The unsecure content (e.g. a banner ad) could be served from fraudulent servers. It would be ridiculous for sincere sites to include unsecure content such as banners in important parts of the site.

  6. I wonder why nobody mentions the possibility of a server hack so the insecure content is not necessarily under control of the secure site’s owner. There are lots of hacked web-servers around these days (especially in Italy).

  7. ResearchWizard: I am not mentioning that because that problem is a possibility even for an all-EV site.

  8. I’m glad that you have such a good policy. I hope the other browser vendors choose to have the same attitude.

  9. “…another pointless security measure designed for the n00bs that can’t distinguish between google.com and goggle.com…”I have to disagree here–for example, let’s say I go to http://www.bankofamerica.com and sign on to my account. And let’s say that the web designers at the bank wanted to know what users of the site think of some aspect of the site, so they insert a little code that draws from a survey vendor’s site that allows a user of the site to give a little input while banking. A page by that description will still say bankofamerica.com, but it will have an element coming from the survey vendor’s site. Yngve is asserting that the whole page is only as secure as it’s weakest element. If the bank’s materials are secure, the site may nonetheless be vulnerable if the code they are drawing from the survey vendor is insecure. Validation then comes into play because I, the user of the site, have no way of telling that the survey element is insecure or compromised since the URL still says “bankofamerica.com”. So, although I think this type of validation may be overkill for most of my browsing needs, it will be very useful with sites that are intended to be secure. If widely adopted this would be very effective at causing web designers of secure sites to ensure their sites contain only properly validated elements, which would result in a more secure site overall.

  10. Hi ….. EV is all well and good, but there is still the issue of the “Opera Browser” being rejected as a “secure browser” when visiting the vast majority of sites where “security validation” is required:-1. Banks(UK & US) – not sure with regard to other countries2. On-Line Shopping – to my knowledge(experience) 100% – okay, 100% is limited to the sites I have visited, so no where near comprehensive, but still even if there are sites out there, Operas’ acceptance as a secure browser is not global. Which really frustrates me, when “they” want you to use IE(security is a joke on that tool!!) … So I use Firefox for all my “https” visits.I love using Opera on my desktop, although some of the “button” placements on some sites are still “skewed” and overlap content. The security is great, and good to see Opera still attaching the highest value to this, the most important aspect of ANY “web browser”. BUT, it still fails to be accepted as a viable option to secure web-site usage. Until that has been resolved, and Opera is regarded as “globally mainstream” by corporates, the Opera Browser will remain where it currently resides …… which a crying shame.Jos Joslyn

  11. Yngve thanks for great article! It has really enlightened me in the matter of EV. Keep it up!

  12. I’d like to thank you for publishing this article, it was really helpful. I needed to find some information on EV for my studies and here I’ve found everything I wanted to know. Thanks once again!

  13. Thanks for giving me whole bunch of intereting information about extended validation. I’ve been doing some research on the subject of validation in general but the info on Opera browser really was helpful in my work.

  14. [quote Yngve]so that is what we will do: Raise the bar[/quote][quote graste]Opera is correct in enforcing the rules.[/quote]Absolutely! I also thank you, Yngve, for a clear and complete presentation of Opera’s EV policy and where it came from.A security policy is as secure as its weakest link: the Opera EV implementation clearly realizes this, and both the end-users and site-implementors benefit from this.I too am a developer/architect of a forthcoming web service, which will of course rely on the security of our own web pages, as well as those of our partners.

  15. Would it be too bold of opera to block insecure content from an EV site – kinda like it blocks popups. I’d probably just ignore not seeing a green-bar, but if Opera blocked and warned me of insecure content I’d probably step back and re-evaluate the site. I might even contact the site owner to find out what’s going on.I also liked the idea presented in that blog link above. I think “Larry” the identity checker does a good job of illustrating the verified identity of the site without giving false impressions about it’s security.An Extended Validation certificate tells us, with more certainty than any other web technology out there, who you are. It does not tell us that you’re a nice person. Identity, not security.I wonder if EV should have specified how browsers should treat insecure content. It sounds like it’s only half doing its job 🙂

  16. I’d like to thank you for publishing this article, it was really helpful. I needed to find some information on EV for my studies and here I’ve found everything I wanted to know.

Comments are closed.