Entrust Responds to MITM Attacks on EV SSL

Extended Validation (EV) SSL digital certificates are the strongest level of SSL authentication available to protect Web site users.

Extended Validation SSL certificates have the highest impact on consumers, reassuring them that the site they are visiting is legitimate through visual cues in un-modifiable parts of the browser interface chrome.

There's no better way to let your customers know you are concerned for their security — and the security of their information on the Web — than by showing them the "green bar." It has been amply demonstrated that the green bar translates into a greater feeling of comfort and more willingness to complete transactions on the Web.

Recently, researchers Michael Zusman and Alexander Sotirov have demonstrated a tool to exploit a browser vulnerability that can reduce the effectiveness of EV SSL certificates. Their findings (which will be officially revealed at the Black Hat USA Conference in Las Vegas, Nev., July 25-30) are technically factual, but need some clarification for real-world application.

The basis of their findings requires a criminal to nefariously obtain an SSL digital certificate. Being the easiest to acquire, this is usually a domain-validated (DV) SSL certificate. This is one of the primary roots to the problem: lack of rigor in the issuance of DV certificates, which Entrust does not issue.

These latest findings aren't specific to EV SSL, but rather represent unfortunate vulnerabilities to all SSL certificates. If a DV certificate is obtained illegally, organizations, in very specific cases, can trick today's Internet browsers.

The important fact to keep at the forefront, however, is that these particular man-in-the-middle attacks require extremely specific circumstances to be successful. In order to successfully exploit this vulnerability, criminals must deliver a malicious script over SSL either via a self-signed certificate (and persuade the user to accept it), or they must obtain a DV certificate for the same domain as the EV site. While this latter step should be difficult or impossible to achieve, real-life examples of such failures have been reported.

The business benefit associated with displaying the green bar is not affected: increased customer confidence and improved vetting procedures, but the exploit is sufficiently serious that the industry must address it. It can be addressed by browser vendors modifying their processing of EV content, requiring all content that is granted the EV privilege be protected by EV SSL certificates. Another resolution might be the implementation of stricter standards for the issuance of DV certificates, preventing a criminal from obtaining a DV certificate for the same domain as an EV site.

While it is difficult to predict what modifications browser vendors might make to the EV policy, members of the commercial CA industry are working together as members of the CA/Browser Forum to introduce common standards for the issuance of DV certificates. Common standards for DV should place further obstacles in the path of any criminal that attempts to defraud online customers of EV sites.

SSL Certificates

Entrust SSL certificates inspire consumer trust by signifying a Web site's commitment to protecting the personal information of its visitors. By using SSL, companies help ease the security concerns of its customers, leading to a more engaging online experience. An SSL certificate is used to confirm that an SSL encryption algorithm is actively securing data being transmitted to a Web site. Digital certificates usually contain the SSL subscriber's information, the name of the certificate issuer, and the strength of the encryption in use. In addition to the "padlock" icon displayed in Web browsers and the https:// prefix, the SSL certificate is one more indicator customers look for as evidence that a Web site is serious about protecting their information.