XSS and the 'Green Bar'

Larry Seltzer, on eWeek, posted on how the use of EV SSL Certificates might cause more XSS issues. XSS stands for "Cross Site Scripting" which exploits security flaws in web applications to run external code on another website, even if the site is secured by an SSL Certificate. XSS and EV has been discussed before but Seltzer brings up some interesting problems and solutions.

He commented on how certain elements of a page can be encrypted using a normal SSL certificate on a different domain, while still maintaining the green bar:

For instance, use Internet Explorer 7 or Firefox 3 (still pre-release) to look at the home page of PayPal. PayPal is the poster child for EV SSL, and it has decided to do everything it can to protect its brand and identity. But it hasn't got there yet.

The top-level document and some key elements, like the main PayPal logo, have EV certs. But other elements on the page, such as this graphic, do not. Browse the first one and you get a green bar; browse the second one and you don't.

Seltzer also noted how this can introduce greater problems with EV Certificates because users will be expecting the whole site to be secured after seeing the "green address bar":

It makes cross-site scripting attacks more serious, because the user will still see the green bar even though portions of the page are from a different site unprotected by the EV certificate. I don't want to overstate the danger of cross-site scripting, but neither do I want to understate it. Some very famous, important sites have experienced cross-site scripting attacks. They are difficult to eliminate because it requires consistent, good programming practices. You can't just plug in a security product to take them away.

This problem will start to become a little more pronounced soon, when users start using the next generations of the Firefox and Opera browsers. Both support EV SSL and will thus increase the awareness of SSL. (Apple appears to have no plans for EV SSL support in Safari.) One difference about them, as opposed to IE 7, is that they do not turn the whole address bar green, but just a small portion of it; I have to say I prefer the IE approach, but it's a little early to say one is right and the other wrong.

He makes a good point. Should browsers only show the green bar if all the content is on a domain secured by an EV SSL Certificate? This would almost stop XSS in its tracks because attackers would have to put the XSS script on a domain that has an EV SSL Certificate. Far more difficult that getting a normal SSL Certificate, some of which can be issued instantly. This is a practice that Opera has implemented which may make Opera a more secure browser than Firefox 3 or Internet Explorer 7. If this does prove to enable greater security, we would hope that the other browsers would follow and only enable the green address bar if all the content from a domain that is secured by an EV SSL Certificate.

Where's My Green Bar? - [eWeek]

Originally posted on Sun Apr 27, 2008