[cabfpub] Draft Zurich F2F Meeting agenda
sleevi at google.com
Tue Apr 7 18:41:47 MST 2015
On Tue, Apr 7, 2015 at 6:33 PM, Geoff Keating <geoffk at apple.com> wrote:
> However, at least Safari should never show a green EV indicator in this
> situation, and I think this is the same for all browsers.
If we presume a user with administrative access, than you can induce both
Firefox and IE to display EV indicators. And, with creativity, I suspect
Safari and Chrome on Mac.
For IE - https://technet.microsoft.com/en-us/library/dd759060.aspx
For Firefox - You could replace the binary with one with
PSM_ENABLE_TEST_EV_ROOTS - see https://wiki.mozilla.org/PSM:EV_Testing
For Safari / Chrome, using one of the library preloads with mach_star
should give a sufficiently credentialed attacker the ability to interpose
on the EV propbag of Security.framework to add custom roots.
Yes, it's true that a "default configured" instance of all of these
browsers won't grant the EV treatment. But in an attack model in which the
user has installed a root certificate (a privileged operation), they could
just as easily pivot into another privileged position and impose there.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public