EV SSL and iFrame attacks
We're seeing active discussion online about the possibility of hijacking a single frame in a production site to steal logins or PII. The scenario is that a criminal gang would redirect this frame (through DNS poisoning, let's say) and populate it with its own content from servers under its control. Presumably this content would involve form fields asking for information the criminals want to receive and which you would be willing to share in this context (such as your bank account login or social security number).
Now, the recent dialog is around the scenario where this proposed attack happens on a site with an Extended Validation SSL Certificate. The certificate identifies the controller of the top-level frame and does not report on the sources of any internal frames in that page. That is in keeping with near-ubiquitous practices in consumer Web applications. Sites that offer complex and varied services in large production environments (such as a popular bank, portal, or e-commerce site) have no other practical choice if they want to offer the applications, performance, and uptime their customers demand. Often the sources of content for these frames originate outside the company operating the actual site. Many of these businesses mash up content from partners and specialized service providers in order to meet their product online needs. By way of example, any site using an ad network or content acceleration service is accepting content from another party.
So what should we do with EV SSL? The answer is we should do exactly what we are doing. It's still an incredibly valuable piece of information to know whether or not the operator of this site is who you think it is. This information is indispensible for consumers to protect themselves against the classic phishing attack. This attack is still the most widespread and damaging social engineering attack in history, and it still represents the greatest risk to consumers engaged in transactions online.
At the same time, we need to address the vulnerabilities that make these iFrame attacks possible. We need to lock down DNS security and beat malware and provide tools for laptop users to distinguish between rogue and benign wireless networks. These are the ways the security of the ecosystem is compromised. These are the weak points that this attack exploits. Think of SSL as a secure lock on the front door of your house. If the front door is secure but it turns out the back door is wide open, you might still find a stranger in your living room. So let's go put a lock on the back door, too.