Extended Validation certificates and cross-site scripting
Extended Validation certificates and cross-site scripting
Posted Mar 13, 2008 6:45 UTC (Thu) by grahammm (guest, #773)Parent article: Extended Validation certificates and cross-site scripting
Maybe as soon as a site is detected as having a (potential) XSS vulnerability, the CA should revoke the EV certificate. But then do all browsers consult the CRLs?
Posted Mar 13, 2008 11:01 UTC (Thu)
by cortana (subscriber, #24596)
[Link]
Extended Validation certificates and cross-site scripting
AFAIK, no browsers bother to consult CRLs unless the user spends a lot of time configuring a
CRL for each embedded CA certificate that the browser ships with. Making the whole X.509 PKI
fairly useless in practice.