EV SSL Sessions are Safe...Yeah Right! Part Deaux

EV SSL Sessions are Safe...Yeah Right! Part Deaux

Posted by John B. Frank Tuesday, July 14, 2009

Security is only as strong as the weakest link in the chain, and I'd be willing to bet you have come across a "broken link" or 100 while browsing. Can you make the connection? The web is NOT a safe place for eCommerce transactions. They say it is, heck there was the https, then the SSL and after those were all breach they came up with EV SSL. Well, what's next? How about just realizing that hackers will get past any security you can come up with...unless it's done outside the browser space.

In a post from last week entitled: "EV SSL Encryption Is Safe! "Yeah...Right!" I talked about how https = httBS, how SSL is SOL and that EV Sessions are EZ targets for Hijacking ...here's more on the subject from DarkReading

Researchers To Release Tool That Silently Hijacks EV SSL Sessions - DarkReading

Researchers To Release Tool That Silently Hijacks EV SSL Sessions
Black Hat USA session will demonstrate new man-in-the middle attacks on Extended Validation SSL

Jul 13, 2009 | 04:37 PM by Kelly Jackson Higgins - DarkReading

If you think you're safe from man-in-the-middle (MITM) attacks as long as you're visiting an Extended Validation SSL (EV SSL) site, then think again: Researchers will release a new tool at Black Hat USA later this month that lets an attacker hack into a user's session on an EV SSL-secured site.

Mike Zusman and Alex Sotirov -- who in March first demonstrated possible MITM attacks on EV SSL at CanSecWest -- will release for the first time their proxy tool at the Las Vegas conference, as well as demonstrate variations on the attacks they have discovered. The Python-based tool can launch an attack even with the secure green badge displaying on the screen: "It doesn't alert the user that anything fishy is going on," says Zusman, principal consultant at Intrepidus.

All it takes is an attacker having a non-EV SSL certificate for a Website, and he or she can hijack any SSL session that connects to it. That's because the Web browser treats the EV SSL certificate with the same level of trust as an SSL domain-level certificate. "There's no differentiation between the two certs beyond the green badge," Zusman says. If an attacker has a valid domain-level certificate, he can spoof EV SSL connections and execute an MITM attack, with access and view of all sensitive data in the session -- all while the unsuspecting victim still sees that reassuring green badge displayed by his browser.

Continue Dark Reading

EV SSL, Silently Hacks, Black Hat, Extended Validation

0 comments

Learn More About Us

Find out how our patented technology can empower your financial institution.

Our secure two-factor online banking authentication eliminates dangerous passwords and usernames and replicates the same trusted process used to access cash at ATM's. (Insert Bank Issued Card, Enter Bank Issued PIN)

There is an R.O.I. as FI's also earn recurring revenue from each transaction conducted using our PCI 2.0 Certified PIN Entry Device. Our technology also provides a unique real-time P2P "Instant-Transfer" which allows your online banking customer to transfer cash from ANY of their bankcards to ANY other bankcard...with the Swipe of a card.

Help your bank eliminate phishing and your customers avoid identity theft by providing them with the ability to stop typing and start swiping. There is no safer way to conduct financial transactions online than by 3DES DUKPT encrypting the cardholder details, which we do at the mag-head "inside the box/outside the browser."

All Top Banking