Researchers to demonstrate EV SSL exploits at Black Hat Briefings
Researchers to demonstrate EV SSL exploits at Black Hat Briefings
By Michael S. Mimoso | Jul 8, 2009
Two security researchers' assault on Extended Validation (EV) SSL certificates will continue next month at the Black Hat Briefings. Alexander Sotirov and Mike Zusman, building on work presented in March at the CanSecWest 2009 security conference, are expected to demonstrate new attacks, including an offline hack that poisons a site protected by an EV certificate.
EV SSL certificates are supposed to offer an extra layer of protection for websites, in particular against phishing attacks. Sites protected with EV SSL encryption display the familiar green icon in the URL address bar. EV SSL certificates are more expensive than traditional SSL certificates (often by hundreds of dollars). They also require substantial vetting of the buyer up front, including, in most instances, articles of incorporation, a verifiable physical location, a designated corporate agent who must be validated, and proof the organization is not prohibited by some sort of government embargo from doing business with a certificate authority, among other requirements.
While EV SSL certificates can guarantee to a degree that a website visitor has indeed landed on a legitimate website, they cannot guarantee the security of the elements on the site. Sotirov and Zusman have proved this conclusively. Their research demonstrates that EV SSL-protected sites, once thought invulnerable to man-in-the-middle attacks, are indeed as susceptible to them as non-EV sites, largely because of a flaw in Web browsers' security models. The flaws are universal, Sotirov said.
"These are not code flaws, but design flaws in the way SSL is deployed," said Sotirov, who along with Mark Dowd, demonstrated browser attacks against Windows Vista at last year's Black Hat Briefings.
Sotirov and Zusman have worked with the major browser vendors on the security issues they've discovered, but this isn't an easy fix for Microsoft or Mozilla.
"Browsers were designed to use the one type of SSL cert we had previously. EV SSL was introduced in recent years, and shoehorned into the existing browser model," Sotirov said. "There's not enough separation between EV SSL and SSL sites. The browser sees both as the same thing internally; the only difference is the green color. Because of the supposed high security of EV, they need to be isolated much more strongly, but this is not the case."


0 comments
Facebook
LinkedIn
Digg

