Hacker News new | past | comments | ask | show | jobs | submit login

EV certificates help.



EV certificates may improve a user's awareness of a spoofed page, but cannot do anything to make it more technically difficult to execute.

Providing an HTTPS login with an otherwise HTTP site is vulnerable to redirection to HTTP or to another site.

There is lots of evidence that suggests that in this configuration, cookies are often not set up properly (secure only) and can therefore be transmitted and stolen over HTTP.


> EV certificates may improve a user's awareness of a spoofed page, but cannot do anything to make it more technically difficult to execute.

This is what I meant, this is why I used "may". Obviously the user must know the details of how ssl works which is not many of them.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: