Monday, July 20, 2009

SSL hack vulnerability details to emerge

Black Hat demo to show even extended validation certificates are vulnerable to man-in-the-middle attacks

Confidential online connections like banking transactions made from public wireless hotspots remain vulnerable to attacks despite improved security that was supposed to fix the problem, researchers will demonstrate at the Black Hat security conference.

The vulnerability means that attackers can lurk in the middle of what victims think are secure SSL sessions with banks, retailers and other secure Web sites, picking off passwords and other information that can be used later to steal account funds or compromise confidential business data, say the researchers, Mike Zusman, a consultant with Intrepidus, and Alexander Sotirov, an independent researcher.

An improved method of qualifying businesses for SSL certificates – called extended validation (EV) SSL turns the address bar in browsers green to assure users that the connection is in fact being made using EV SSL certificates. It is supposed to indicate that end users are connecting with a legitimate business, not an attacker. To do so, the entity obtaining the SSL certificate has undergone prescribed scrutiny and qualified for the certificate.

More

No comments: