[SSL Observatory] did they generate impostor EV certs? (was: SSL CA compromise in the wild)

Matt McCutchen matt at mattmccutchen.net
Thu Mar 24 15:37:55 PDT 2011


On Thu, 2011-03-24 at 16:19 -0600, Hodges, Jeff wrote:
> I note that the legit certs presented by <https://login.live.com/> and
> <https://addons.mozilla.org/> are regarded as EV certs by browsers --
> are the impostor certs for those two domains also treated as EV? Has
> anyone tested this?

It would hardly matter -- the attacker could let the main HTML page load
from the legitimate site, triggering the EV badge, and then MITM one of
the subsequent connections for embedded JavaScript and compromise the
page that way.  EV gives you a binding of a DNS name to an organization,
but all the security still rests on your certificate acceptance
criteria.

-- 
Matt




More information about the Observatory mailing list