thawte.com/cgi/server/thawte_seal_generator
.exe">
This generates this graphic:
141
Note that both of the scripts could appear in SSL-protected pages without raising
mixed content warnings for users. If an attacker compromises the web servers that serve
these scripts, the attacker could also compromise all the users visiting the sites where the
scripts are included. No need to compromise the fancy public key infrastructure (PKI) or
break any SSL??”a simple web server bug is a privacy disaster for every user of affected
sites. Recall that some web server software has a patchy history. This violates the security
principal of defense in depth, creates an obvious single point of failure, and reduces
security to the lowest common denominator for users.
Now instead of considering a security-savvy SSL certificate authority, what if the
script inclusion was from an online ad agency? How good would you feel about lowering
your application security to the lesser of their or your protection? As advertisements
are often a web site??™s primary source of revenue, this is often a much more compelling
business case. Adding images to make the uneducated feel a little better about the quality
of your SSL certificates is probably a bad security tradeoff unless you target a very
unusual demographic.
Pages:
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277