[cabfpub] Draft Zurich F2F Meeting agenda

Ryan Sleevi sleevi at google.com
Tue Apr 7 18:41:47 MST 2015


On Tue, Apr 7, 2015 at 6:33 PM, Geoff Keating <geoffk at apple.com> wrote:
>
> However, at least Safari should never show a green EV indicator in this
> situation, and I think this is the same for all browsers.
>

If we presume a user with administrative access, than you can induce both
Firefox and IE to display EV indicators. And, with creativity, I suspect
Safari and Chrome on Mac.

For IE - https://technet.microsoft.com/en-us/library/dd759060.aspx
For Firefox - You could replace the binary with one with
PSM_ENABLE_TEST_EV_ROOTS - see https://wiki.mozilla.org/PSM:EV_Testing

For Safari / Chrome, using one of the library preloads with mach_star
should give a sufficiently credentialed attacker the ability to interpose
on the EV propbag of Security.framework to add custom roots.

Yes, it's true that a "default configured" instance of all of these
browsers won't grant the EV treatment. But in an attack model in which the
user has installed a root certificate (a privileged operation), they could
just as easily pivot into another privileged position and impose there.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20150407/9bdadec9/attachment.html 


More information about the Public mailing list