Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cloud
    • Cloud
    • Cybersecurity
    • IT Management

    Security Researchers Exploit Vulnerability in Handling of EV SSL Certificates

    By
    Brian Prince
    -
    July 13, 2009
    Share
    Facebook
    Twitter
    Linkedin

      Two researchers have discovered a design flaw in Web browsers that can be exploited to launch man-in-the-middle attacks on extended validation SSL certificates.

      Mike Zusman, principal consultant at Intrepidus Group, and independent security researcher Alex Sotirov plan to reveal the details of their findings at the Black Hat security conference coming up in Las Vegas later this month. In an interview with eWEEK, Zusman said that through a technique the duo calls “SSL rebinding,” attackers can exploit the behavior of the browser to effectively render an extended validation SSL (EV SSL) certificate meaningless.

      EV SSL certificates are meant to offer additional authentication for Websites and provide protection against phishing attacks. Before an organization can receive one, they must meet certain criteria as part of a vetting process. Sites that are given the certificate display a green icon in the address bar.

      But for all the emphasis EV SSL puts on authentication, the browser does not treat the certificate very differently than a domain validated SSL (DV SSL) certificate – a fact that can be exploited by attackers, Zusman explained.

      With SSL rebinding, the researchers silently switch the browser from talking to the EV SSL certificate to talking to a domain validated SSL certificate held by the attacker. The duo will also demonstrate an extended validation cache poisoning attack where cached content of an EV SSL- protected Website can be poisoned without the victim consciously browsing the site.

      “Imagine you have a user who is on a public Wi-Fi access point at a caf??«, and he’s logging into his bank account and his bank uses EV SSL,” Zusman said. “So he logs in, he sees that green glow and he assumes that because he sees that green glow he’s secure [and] everything is fine. But just next to him is an attacker who’s either compromised that wireless network or has set up a rogue access point to trick the victim into connecting to it and now he serves as a man in the middle.”

      “What we devised is a way to intercept this secure communication in such a way that we can see the data coming out of his browser, but all the while the user is still aware that the green glow of EV SSL is still there,” he continued. “So what this entails is that the attacker set himself up as the man in the middle…then using this technique we call SSL rebinding, he’s able to essentially trick the browser into thinking that that extended validation, green glow should be shown for the whole session.”

      Zusman and Sotirov tested the attacks against recent versions of Internet Explorer and Firefox, but contend the flaw is not specific to any of the major browsers. Unfortunately, there isn’t much the browser vendors can do to solve the problem. The easiest fix would be to not trust DV SSL certificates, but that would cause many Websites to break. Also, it is unrealistic to expect everyone to upgrade to EV SSL certificates due to cost, Zusman said.

      “A more practical solution would be something along the lines of same origin policy, where the Web browser can have an internal flag that says, -OK, I’m talking to this Web server and it’s using an EV SSL certificate, [so] I should only talk over EV SSL . If I am presented with a domain validated certificate I should terminate that connection.’ I think that makes a lot of sense. If you’re a Website administrator you make a decision to use a high assurance EV SSL certificate, well why would you want to mix and match EV and DV SSL ?”

      The researchers are scheduled to present their findings at the conference July 30.

      Brian Prince
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×