The PhoneBoy Blog


Simplifying Telecom, Mobile Phones, Gadgets, and More!

Extended Validation No Guarantee Against Cross-Site Scripting Attacks

Microsoft demonstration website for Extended Validation certificates.  Image via Wikipedia

Given that anyone can get an SSL Ceritifcate these days for next to nothing, that “lock” in your browser only means that the content is encrypted. What you may or may not know is, who you are connecting with–something SSL was designed to solve.

Internet Explorer 7 and Firefox 3 beta support something that is called Extended Validation (EV) SSL certificates. Basically, in order to get an Extended Validation certificate, you must pass a certain set of criteria–and pay an order of magnitude more money–for the privilege. What will you get? Users using a EV-enabled browser will get a green bar in your URL field saying “yes, you’ve connected to PayPal” or whomever.

Leave it to someone to find a cross-site scripting vulnerability–in PayPal, no less. This means someone can inject code–through another site–into Paypal. If you’re logged into PayPal when this code runs, who knows what could happen!

With multi-tabbed web browsers the norm these days, where you’re potentially logged into multiple web sites, it’s entirely possible for a script on one page to “inject code” on a different website and do nefarious things on your behalf–without your knowledge!

What can you do about it? For critical sites like PayPal, run it in a completely different browser. If you normally use Firefox? Use IE. Or Opera, or Safari. A cross-site scripting vulnerability will have a challenge crossing the boundary to another program.

If you run Firefox like me, the NoScript plugin provides some protection against XSS attacks.


C-List #Cybersecurity Celebrity, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.