New EV SSL Certificates Already Vulnerable
Two security researchers are scheduled to unveil at the upcoming Black Hat conference next week in Las Vegas a way to breach Extended Validation SSL certificates.
Conceptually, the attack is pretty simple but, in practice, is difficult to execute, according to Mike Zusman, principal consultant at Intrepidus Group, and one of the two researchers. The other is Alex Sotirov, an independent security researcher.
The attack works because it takes advantage of a web browser flaw that can't tell the difference between EV and regular Domain Validated (DV) SSL certificates.
Beyond that, basically, the attack consists of two steps. The first requires the attacker to get a traditional DV cert from a Certificate Authority (CA) and then use a rogue man-in-the-middle server that uses certificate combinations to conduct the attack. Since web browsers don't distinguish between EV and DV certs, the address bar would still show the green light, indicating a valid site.
The researchers will provide details at Black Hat and are expected to release a sample proxy tool shortly afterward.
Conceptually, the attack is pretty simple but, in practice, is difficult to execute, according to Mike Zusman, principal consultant at Intrepidus Group, and one of the two researchers. The other is Alex Sotirov, an independent security researcher.
The attack works because it takes advantage of a web browser flaw that can't tell the difference between EV and regular Domain Validated (DV) SSL certificates.
Beyond that, basically, the attack consists of two steps. The first requires the attacker to get a traditional DV cert from a Certificate Authority (CA) and then use a rogue man-in-the-middle server that uses certificate combinations to conduct the attack. Since web browsers don't distinguish between EV and DV certs, the address bar would still show the green light, indicating a valid site.
The researchers will provide details at Black Hat and are expected to release a sample proxy tool shortly afterward.
posted by The IT Security Guy at 10:36 AM
1 Comments:
So then isn't the problem that DV certificates are so readily available to get so you can exploit this?
And that being the case you can exploit ANY certificate with that DV certificate?
So why is this about EV? I suppose they get more headlines that way. :(
Post a Comment
<< Home