So I’m on a webinar right now, listening to a gentlemen from Verisign talking about how the EV (Extended Validation) SSL Cert’s prevent Phishing among other things. You have probably seen the Green Bar and SSL Certificate – The name next to the lock is embedded in the certificate, and the theory is that this cannot be modified by the attacker or phisher. Here is a picture courtesy of Versign:
I’ve asked the presenter to address the following XSS Attacks:
- Extended Validation certificates and XSS considered harmful
- PayPal XSS Vulnerability Undermines EV SSL Security
But, I’m hearing mostly about the “Green Bar”, and seeing statistics on how users like the “Green Bar” and sites that get increased transaction volume, transaction ticket sizes, as well as as reduced cart abandonment. Unfortunately the “Security” presentation has turned to a “Sales” presentation… But with these XSS attacks:
The green address bar displayed by the web browser would assure users that they are looking at a website that can be trusted, even though the page they are looking at may contain scripts or HTML created by a remote attacker.