- August 20, 2009
- Posted by: admin
- Categories: Agile Applications, Blog, Business Dynamics
Just about any major browser to sign on to a secure Web site like a bank’s or credit card company’s, and chances are the URL bar will glow green. Thats the mark of extended validation SSL protection, a widely used security system. The effectiveness of that system, however, has come under scrutiny by security researchers who see a way around it. Network security workers concentrate on updating patches & making sure only validated users can access the corporate LAN (local area network). Meanwhile, security researchers hunt for existing but unidentified infrastructure flaws that could let in the bad guys. That seems to be the case with a common browser flaw that allows attackers to silently exploit compromised SSL encryption.
Researchers recently found what they contend is a serious flaw in handling Extended Validation SSL in popular Web browsers. This could place users of EV SSL-protected Web sites at risk from silent man-in-the-mid attacks. That green glow of EV SSL in the browser is often pitched as the silver bullet to thwarting phishing attacks. The new findings suggest users cannot trust that warm & fuzzy feeling when they conduct e-commerce activities.
Microsoft is aware of the Black Hat presentation but often regards such scenarios as somewhat contrived. The alleged threat is based on EV certificates failing to successfully mitigate against man-in-the-middle attacks in which an attacker has acquired a domain validated (nonEV) certificate for a specific Website, according to the IE maker. Extended Validation was developed to help prevent fraudulent transactions using impostor Web sites set up to look very similar to actual corporate Websites. Its current implementation is effective against these specific attacks but is not designed to deal with attacks in which an attacker has a fraud domain-validated certificate for an actual corporate domain.