Last week at the W3C's Web Security Context Working Group's meeting at Opera HQ here in Oslo we discussed what should be the criteria for displaying the Extended Validation (EV) indicator, or the Augmented Assurance (AA) indicator, as the WG has decided to call this technology.
As I have said earlier, we are of the opinion that the EV indicator should not be displayed unless all content is loaded from EV servers.
The opposing view is that, so long as all content is loaded over secure connections, the displayed document is what the author of the main document intended (bugs, vulnerabilities, and all), and that it is therefore only necessary to verify that the main document is served from an EV server, as this will provide the information necessary to identify the author.
The decision of the WG was in favour of the less restrictive position: if an AA/EV document loads all resources over strongly TLS-protected connections, then the document can be displayed with an AA/EV indicator.
In the interest of providing a common user experience with respect to EV we have decided to follow this recommendation, and today's Kestrel snapshot include this policy change.
We have, however, left the old logic in place, controlled by a preference that can be updated remotely. This permits us to quickly change to a stricter mode if the consensus about what constitutes an AA/EV site changes in the future.
As a consequence of this policy change a large number of sites, such as Paypal, with mixed EV and non-EV content will now get the "Green Bar" in Opera:
This change on the W3C’s part seems to be a disservice to the customer who is using a secure login for their banking, shopping, and other financial needs. As security is only as strong as its weakest link, it therefore does not follow to advertise the strongest link in the status display of browsers. In my belief this gives the user a false sense of the security of the site.Is there a way to activate the old logic in the new Opera snapshot?What use case(s) did the opposing view give for why it would be preferable to not have EV certificates on iframes and other portions of the page that are not part of the main document?Kindly asking Opera to consider violating this aspect of the specification if it becomes finalized in this weaker form. The only thing worse than no spec is a bad spec.
I think it coult be in opera:config –> Security Prefs “Strict EV Mode”Whatever this is, I enabled it already :)Liked the policy “It ain´t EV till it´s all EV.”
@Turin: security of connection and verification of identity are two separate things. All content that gets loaded will be loaded over secure connections, EV certificates do not offer better protection against eavesdropping than the normal strong SSL certificates. But content from various servers can get loaded into a page. The change in Opera’s behavior means (which makes sure that we get green bars on the same sites as other EV-supporting browsers) that only the identity of the top-level document needs to be certified with an EV certificate. So Paypal could buy an EV certificate for http://www.paypal.com, and load scripts into their pages from resources.paypal.com (just an example, no idea what the exact issue was there) for which they only have bought a much cheaper SSL certificate.
> The opposing view is that, so long as all content is loaded over secure connections, the displayed document is what the author of the main document intended (bugs, vulnerabilities, and all)So, you could just as well drop support for EV in that case and admit that the critics of EV were right? Isn’t it just the content from other domains that makes sites vulnerable to things like XSS? The goal of EV was to have the CA check that the certificate they sell was really, really sold to whoever claimed to buy it.Even, buying an EV certificate for their resources server is peanuts for companies like paypal.So, as far as I understand it, the only thing a green bar means now is that the identity of the main page is trusted by Opera (and by me, since I trust the Opera CA review), but it does not tell me anything about the identity of the actual page content (which is what matters to me), unless I enable the opera:config setting. Sounds pretty useless, no? I hope I’m missing something.
@JeroenH: the goal of EV was not to prevent XSS. Yngve earlier gave an example of Google Analytics javascripts being embedded in EV site their non-EV SLL site. If the secure Google Analytics server would have had an EV certificate, Opera would have shown ‘green’ earlier for several sites, but you would still have seen ‘Other Site’ in the address bar, there. What added value would that EV certificate for Google Analytics give you? In the case of Paypal, what would it help if http://www.paypalobjects.com had an EV certificate? The site does not become more or less secure; the owner, responsible for which stuff gets loaded in the main page, does not become more clearly identified. Only the latter is what EV certifies, whether that is useful is up to you to decide 🙂
Rijk, it’s just that the CA verifies the identity. Anyone with an email adress can sign up for a normal certificate (haven’t seen the SSL certificate in 5 minutes ads?) and have it appear with a padlock. They can’t do that with an EV certificate, which requires a more careful check by the CA (that’s the promise of EV, at least).> The site does not become more or less secure; the owner, responsible for which stuff gets loaded in the main page, does not become more clearly identified.So imagine that badsite.com finds an XSS flaw in paypal (which I agree paypal is responsible for, but these things happen). It can embed an iframe of itself in paypal and do any nasty thing it wants to do, since it is quite able to get a normal certificate. Under the new scheme, Opera would not tell me anything is wrong. Using the old scheme, I could sense that something was wrong, since there was no green in the address bar in that case. It’s just an opportunity for extra protection, with no extra work for you and me as users.> What added value would that EV certificate for Google Analytics give you?That the CA has thoroughly checked Google Analytics as being actually “Google Analytics” and not “gOogle Analytics (hacker edition)” for example and thus as an organisation I do trust (implicitly, by trusting Opera to properly verify CA procedures). With EV, the promise is I can make the important distinction between “a certificate I trust” and “an organisation I trust”.In Yngve’s article which you linked, he talks about these issues. They have not changed since. He uses your example as an example for having the old scheme. Also Yngve’s title of this article is clear: lowering the bar.Opera has traditionally chosen to be on the forefront of security. This is what attracted many users to it, and now it starts making this sort of compromises by default, which makes EV neigh useless IMHO.
@JeroenH: you don’t know which third party content is included in the site until you do a detailed analysis. Badsite.com can also get an EV certificate, that states it is really Badsite.com. That wouldn’t make me happier, because it would still be a site I don’t want to have contact with, but I wouldn’t know because the address bar only says ‘green’ and ‘Paypal Inc. (US)’. The point is that the address bar can only give easy access to trust info for a single entity – I have to trust that entity is smart enough to only include third party content that can be trusted, I am not going to check the Info panel during each visit to see if they’ve started embedding stuff from Badsite.com. If you see a banking site that displays ad banners on their secure section, quickly run away to get a serious bank… those ad servers have been compromised in the past and it will happen again.An EV implementation that would almost never show green because we interpret the system very different from all other browsers is useless as well.
Originally posted by Rijk:An EV implementation that would almost never show green because we interpret the system very different from all other browsers is useless as well.In what way would this be a useless implementation, at least when it did display that the EV status was green it would provide service to the user. I am not sure why poor security choices on the part of PayPal and other browser manufacturers must lead to Opera adopting a weaker security paradigm.Third party content on a secure site is always going to be a risk to the user because it is under the control of another corporation or individual other than the one that the user is doing the transaction with directly thereby increasing the user’s risk surface. But this can be a mitigated risk if proper security practices are followed. This means requiring the third party content to have the same level of certificate and the same level of security over HTTPS as the host site.I have to trust that entity is smart enough to only include third party content that can be trustedWho the host site trusts and the user trusts are often different groups entirely. While it is the responsability of the secure site to try to ensure that the third party is reliable, that does not in my opinion give the third party provider an escape clause when it come to its EV certificates, which in my opinion this change in the EV process provides just such an escape clause.
‘same level of certificate and https security’, I don’t understand. EV and non-EV certificates offer the same technical security level.If you think YourBigBank.com is capable of including third party content were it might accidentally confuse the URL of a ‘good’ third party site with a rogue imposter ‘bad’ one that has non-EV SSL certificate, then the old requirement might have helped, if all browsers followed the same strategy. Then it would have been normal that YourBigBank.com shows ‘green’, and if they make such a mistake the bar would become yellow… But that is not the case, and Opera couldn’t convince others to follow that road. Banks are not going to care that Opera (as only one of the browsers) shows yellow instead of green. So the old system means that YourBigBank.com would always show yellow in Opera and green in the others, and if they accidentally included a rogue third party, it would still be yellow in Opera and green in the others. With the new system (and in the other browsers), the address bar shows green and keeps showing green in Opera as well. So green-green instead of yellow-yellow, no information loss at all.Distinguishing your own list of trusted sites apart from the sites trusted by a principal trusted site is pointless IMHO, you’d have to investigate the complete site during each visit. But I think I’m starting to repeat myself now 🙂
I don’t blame Opera for this change.Assuming Opera didn’t change their policy and someone raises an eye-brow that Paypal doesn’t pass the test and they contact Paypal, Paypal will most likely tell the user to use Firefox to access their site instead.If it’s ok in FF and not in Opera, they’ll either use FF instead or learn to ignore Opera’s warnings.People who choose to enable strict EV checks won’t be doing themselves any favours. Are you really going to boycott Ebay because they don’t pass, or will you instead ignore the warning?
What a pity!I thought SSL mutual authentication with “real” EV indicator could be the ultimate solution against phishing and other frauds …How to prevent hackers from inserting malicious code into DV objects which are used by EV sites?