Content tagged “security”

  1. Extended Validation is Broken

    Today, I will demonstrate another issue with EV certificates: colliding entity names. Specifically, this site uses an EV certificate for “Stripe, Inc”, that was legitimately issued by Comodo. However, when you hear “Stripe, Inc”, you are probably thinking of the payment processor incorporated in Delaware. Here, though, you are talking to the “Stripe, Inc” incorporated in Kentucky. This problem can also appear when dealing with different countries.

    In this post, Ian outlines several Web security-related flaws in current-era browser user interface. Browsers, in an attempt to be clever, obfuscate several important pieces of information that might provide users with details about the people behind a particular website. On top of that, Ian demonstrates flaws in the cross-jurisdicitonal systems that allow for the coexistence of like-named but unrelated business entities.

    Browser vendors treat extended validation certificates as special cases, giving them visual priority over standard TLS certificates. The average user won’t know the difference—nor should they—when they see “Trusted Company X” highlighted in green in their browser’s URL bar. The expectation is that they’re actually viewing Trusted Company X’s website and not the website of some rando with a little bit of money to spare.

  2. Bookmarklets are Dead…

    I posted yesterday on Twitter about an issue I ran into when trying to use a bookmarklet on a website—GitHub, in this case—with a Content Security Policy. Instapaper developer Brian Donohue pointed me to a post he’d written on just this issue in 2014.

    The ultimate catch-22 of the new Content Security Policy wording is that it’s intended to benefit the users, by providing additional security from hypothetical malicious add-ons on websites that enforce a Content Security Policy. In the end the bookmarklet has been relegated obsolete by the change, a casualty of one clause in one section of one web specification, and end-users and developers are the ones who will mourn its demise. The path to hell is paved with good intentions.

    I’ve implemented a CSP on my own site and have now switched from using Instapaper’s bookmarklet to their Safari extension.