Is XSS more harmful with Extended Validation certificates?

With the threat of new cross-site scripting vulnerabilities, some are wondering whether EV SSL certificates do more damage than good. Netcraft reported on an XSS attack that was done on SourceForge.net using an Extended Validation certificate. Because of the additional reassurance provided by EV certificates' "green address bar", users may be more willing to give personal information on pages that include content from another site (using a cross-site vulnerability). Netcraft commented:

The green address bar displayed by the web browser would assure users that they are looking at a website that can be trusted, even though the page they are looking at may contain scripts or HTML created by a remote attacker.

The vulnerable page at SourceForge, showing the green address bar and injected JavaScript being executed

Extended Validation SSL certificates were originally created as a direct response to the rise in internet fraud, with additional verification processes reducing the likelihood of erroneously issuing a certificate to an unauthorised party. Modern web browsers treat EV SSL certificates differently to ordinary SSL certificates, typically turning the address bar green to show that a site can be trusted. Once users are conditioned into thinking that green means good, this could prove harmful when an EV SSL site contains a cross-site scripting vulnerability.

Though this is the first reported case of an XSS vulnerability on an a site with an EV certificate, there will surely be more to follow unless companies combine the use of EV SSL certificates with thorough vulnerability testing on all released code.

Extended Validation certificates and XSS considered harmful - [Netcraft]

Originally posted on Thu Mar 6, 2008