Solved

Remote JS execution with EV Certs

Posted on 2013-05-30
6
195 Views
Last Modified: 2013-05-31
I've built a javascript API that basically is loaded from a remote sub-domain. So domain1.tld.com loads a JS library from domain2.tld.com.

The connection is all over SSL.

The questions is, if domain1.tld.com has an EV cert does domain2.tld.com need an EV cert as well? Or can it be a regular cert?
0
Comment
Question by:skione
  • 3
  • 3
6 Comments
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 39210594
It can be a regular cert, no browser currently checks that all components are EV, but most check that all components are secured with valid certs.

Of course, that may change in the future.
0
 

Author Comment

by:skione
ID: 39210605
Thanks, I'll award you the points but would you have any documentation to back that up? (BTW that's what I thought as well)
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39210634
no, I don't, but I know from experience that plenty of EV sites use https://ajax.googleapis.com/ajax/libs/jquery/1.10.0/jquery.min.js (for example) at the backend, without browsers kicking up a fuss about it :)
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:skione
ID: 39210636
Thanks!
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39210643
I disagree on principle with EV certificates though. Why do we need to pay extra for the CA to do the checks we were supposed to be paying for for "standard" certificates (instead of just generating our own for free), and why, given several high-profile events where EV certificates were issued for "famous name" sites to people other than the sites owners, they continue to claim EV means they really, really checked this time and you can trust them, honest.....
0
 

Author Comment

by:skione
ID: 39210661
Yea I don't know the answer to that but our client (a bank) uses them and I need to make sure that when they connect to my API I don't cause any browser errors.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Imagine a situation that you have installed SSL (http://en.wikipedia.org/wiki/Secure_Sockets_Layer) Certificate on your Cisco ASA (Cisco Adaptive Security Appliance) firewall. Installation of SSL certificate on ASA is an another topic for which you …
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now