Does Greenbar in Browser Mean Safe or Only Safer?
Red means stop, green means go. Simple enough. Green bar in the browser means the site uses an extended validation (EV) SSL certificate so it's safe, right? Yes, sort of. ComputerWorld point out that a researcher at Netcraft found a way to use a cross site scripting attack against Paypal (which uses EV SSL) to capture user credentials.
Netcraft reports
While SSL certificates do indeed provide a higher level of assurance when it comes to site ownership, they cannot guarantee that a site is free from other security problems - including cross-site scripting. There are concerns that hackers may exploit misunderstandings in the significance of the green address bar for their own benefit, piggybacking off the trust that is instilled by EV certificates. Users need to be aware that a green address bar does not guarantee the origin of a page's contents if there is a cross-site scripting vulnerability on that page.
EV SSLs do bring higher levels of validation and verification to the process of authenticating a site, but it's no panacea. (For more on EV SSLs, see the Shortcut Guide to Extended Validation Certificates). EV SSLs do not attest to lack of vulnerabilities, like weak SSL keys, or poor programming practices that result in SQL injection vulnerabilities.
This is not a criticism of EV SSLs, they are one way to improve security but they can't be more than they were designed to be.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
