Researchers to demonstrate EV SSL exploits at Black Hat Briefings

Researchers to demonstrate EV SSL exploits at Black Hat Briefings

Tags:   EV SSL  PKI and Digital Certificates  Web Browser Security

By Michael S. Mimoso | Jul 8, 2009

Two security researchers' assault on Extended Validation (EV) SSL certificates will continue next month at the Black Hat Briefings. Alexander Sotirov and Mike Zusman, building on work presented in March at the CanSecWest 2009 security conference, are expected to demonstrate new attacks, including an offline hack that poisons a site protected by an EV certificate.

EV SSL certificates are supposed to offer an extra layer of protection for websites, in particular against phishing attacks. Sites protected with EV SSL encryption display the familiar green icon in the URL address bar. EV SSL certificates are more expensive than traditional SSL certificates (often by hundreds of dollars). They also require substantial vetting of the buyer up front, including, in most instances, articles of incorporation, a verifiable physical location, a designated corporate agent who must be validated, and proof the organization is not prohibited by some sort of government embargo from doing business with a certificate authority, among other requirements.

While EV SSL certificates can guarantee to a degree that a website visitor has indeed landed on a legitimate website, they cannot guarantee the security of the elements on the site. Sotirov and Zusman have proved this conclusively. Their research demonstrates that EV SSL-protected sites, once thought invulnerable to man-in-the-middle attacks, are indeed as susceptible to them as non-EV sites, largely because of a flaw in Web browsers' security models. The flaws are universal, Sotirov said.

"These are not code flaws, but design flaws in the way SSL is deployed," said Sotirov, who along with Mark Dowd, demonstrated browser attacks against Windows Vista at last year's Black Hat Briefings.

Sotirov and Zusman have worked with the major browser vendors on the security issues they've discovered, but this isn't an easy fix for Microsoft or Mozilla.

"Browsers were designed to use the one type of SSL cert we had previously. EV SSL was introduced in recent years, and shoehorned into the existing browser model," Sotirov said. "There's not enough separation between EV SSL and SSL sites. The browser sees both as the same thing internally; the only difference is the green color. Because of the supposed high security of EV, they need to be isolated much more strongly, but this is not the case."

 
 
12

Similar

Related Articles

Add comment

Post a Comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <img /> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <embed> <object> <strike> <caption>
  • Lines and paragraphs break automatically.
  • Use <!--pagebreak--> to create page breaks.

More information about formatting options

 

Similar

Related Articles

knowledge_central_tab

 
 
Knowledge Central
Today's top security priorities
Attacks based on vulnerabilities in websites are skyrocketing, and not many solutions are available to protect organizations against them. How do you deal with this and other key security issues today?
Taking a holistic business-centric approach to security
Today’s CIOs face multiple challenges, including the need to innovate in an extremely competitive business climate, address highly dynamic regulatory and compliance challenges, speed ROI to counter shrinking IT budgets, and secure their organizations against a wide barrage of sophisticated threats.
 
 
 
UTM product offers Logansport Savings Bank superior protection
Astaro Security Gateway’s IPS was able to block attacks that other intrusion prevention systems (IPS) missed at Logansport Savings Bank.
Hong Leong Financial opts for Juniper Networks at new Malaysia head office, data center
Hong Leong Financial Group Berhad builds complete and seamless data center and office network infrastructure with Juniper switches, security devices and Junos software.
 
 
 

Recent popular content

Most Read
Merging SIM and IAM systems
DNSSEC predictions optimistic
WhiteHat Security reveals top 10 Web hacking techniques
Social networking sites are phishing traps
RSA conference tackles social networking

Site map
Search Security Asia
About Us
Print/Digital Subscription
Sales
Feedback
Security Tips
Expert Opinions
Research
White Papers
Case Studies

Blogs
Topics
Application security
Disaster recovery and business continuity
Identity management and access control
Information security careers, training and certifications
Topics
Network and Internet Security
Security best practices
Security threats
Surveillance and facilities management
Media
Videos
Podcasts
Webcasts
News
RSS