Researchers to demonstrate EV SSL exploits at Black Hat Briefings

Researchers to demonstrate EV SSL exploits at Black Hat Briefings

Tags:   EV SSL  PKI and Digital Certificates  Web Browser Security

By Michael S. Mimoso | Jul 8, 2009

Two security researchers' assault on Extended Validation (EV) SSL certificates will continue next month at the Black Hat Briefings. Alexander Sotirov and Mike Zusman, building on work presented in March at the CanSecWest 2009 security conference, are expected to demonstrate new attacks, including an offline hack that poisons a site protected by an EV certificate.

EV SSL certificates are supposed to offer an extra layer of protection for websites, in particular against phishing attacks. Sites protected with EV SSL encryption display the familiar green icon in the URL address bar. EV SSL certificates are more expensive than traditional SSL certificates (often by hundreds of dollars). They also require substantial vetting of the buyer up front, including, in most instances, articles of incorporation, a verifiable physical location, a designated corporate agent who must be validated, and proof the organization is not prohibited by some sort of government embargo from doing business with a certificate authority, among other requirements.

While EV SSL certificates can guarantee to a degree that a website visitor has indeed landed on a legitimate website, they cannot guarantee the security of the elements on the site. Sotirov and Zusman have proved this conclusively. Their research demonstrates that EV SSL-protected sites, once thought invulnerable to man-in-the-middle attacks, are indeed as susceptible to them as non-EV sites, largely because of a flaw in Web browsers' security models. The flaws are universal, Sotirov said.

"These are not code flaws, but design flaws in the way SSL is deployed," said Sotirov, who along with Mark Dowd, demonstrated browser attacks against Windows Vista at last year's Black Hat Briefings.

Sotirov and Zusman have worked with the major browser vendors on the security issues they've discovered, but this isn't an easy fix for Microsoft or Mozilla.

"Browsers were designed to use the one type of SSL cert we had previously. EV SSL was introduced in recent years, and shoehorned into the existing browser model," Sotirov said. "There's not enough separation between EV SSL and SSL sites. The browser sees both as the same thing internally; the only difference is the green color. Because of the supposed high security of EV, they need to be isolated much more strongly, but this is not the case."

 
 
12

Similar

Related Articles

Add comment

Post a Comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <img /> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <embed> <object> <strike> <caption>
  • Lines and paragraphs break automatically.
  • Use <!--pagebreak--> to create page breaks.

More information about formatting options

 

Similar

Related Articles

knowledge_central_tab

 
 
Knowledge Central
Staying a step ahead of hackers new
Organizations are relying more and more on Web applications as a primary means of doing business. As the number and complexity of Web applications grow, so does the number of vulnerabilities introduced into your Web environment. Unfortunately, this makes you very attractive to hackers.
Outlook: Emerging security technology trends
As part of an ongoing discussion from IBM, this white paper helps us to gain a perspective on the security challenges organizations will face in the next few years. What fundamental technology trends are expected to impact organizations this and the following years? And how can organizations position themselves to profit from the myriad opportunities while managing the risk that inevitably accompanies them?
 
 
 
Hong Leong Financial opts for Juniper Networks at new Malaysia head office, data center
Hong Leong Financial Group Berhad builds complete and seamless data center and office network infrastructure with Juniper switches, security devices and Junos software.
Budget-conscious NGO cuts costs and improves IT productivity with Symantec
St James' Settlement reduces staff time spent on data protection administration by 80% and on software inventories by almost 100%.
 
 
 

Recent popular content

Most Read
Internet Explorer vulnerabities cause data leakage
Tripwire steps into SIEM territory
Microsoft expands SDL program
What to do with Microsoft SMB2 vulnerability
Following up with networking penetration tests

Site map
Search Security Asia
About Us
Print/Digital Subscription
Sales
Feedback
Security Tips
Expert Opinions
Research
White Papers
Case Studies

Blogs
Topics
Application security
Disaster recovery and business continuity
Identity management and access control
Information security careers, training and certifications
Topics
Network and Internet Security
Security best practices
Security threats
Surveillance and facilities management
Media
Videos
Podcasts
Webcasts
News
RSS