It is not browser-specific.” Tough to Cureįixing the potentially broken browser vulnerability will not be easy,according to Belani. “This is not an EV SSL flaw but a browser flaw,” Belani said. However, the Internet security industry is likely more focused on dealing with the1,000 new phishing attacks happening every day, he added. Nowthey have to put on a lock for the door,” he said. The barn door is still closed with the horses inside. “No doubt they will roll the fix into one of the upcoming browserupgrades. Browser makers are workingon patching the reported flaw, Callan said. Still, the EV SSL weakness is a matter to consider. There is no evidence that any harm has beendone yet by this,” he said. This is notsomething that is being used to steal data today. There is ainaccurate perception that the weakness is new, Callan said.Įven so, “I’m not aware of any attacks through this exploit. The recent attention surrounding the Intrepidus Group’s announcementresulted from a poor understanding of the topic. The exploit Zusman and Sotirov reportedhas not been used by attackers, according to Verisign’s Callan. To help mitigate potential phishing threats through the flawsthe researchers uncovered, Intrepidus Group enhanced its PhishMesoftware security product, said Belani. Zusman and Sotirov presented the details of their research findingsduring the Back Hat conference lastmonth. Employees and customers should be provideda holistic perspective on phishing to best train them to be resilientto this ever-growing threat,” he said. “Our research shows that the green glow can be misleading and providea false sense of security. The new findings suggest users cannottrust that warm and fuzzy feeling when they conduct e-commerceactivities with Web sites, said Belani. That green glow of EV SSL in the browser is often pitched asthe silver bullet to thwarting phishing attacks. People can dupe users into visiting phony sites to stealpersonal data,” Belani told TechNewsWorld. “The mechanism used to secure conventional SSL is flawed. This type of attack is called “SSL Rebinding.”Ī second type of SSL attack, known as “EV cache poisoning,” is apersistent attack wherein cached content of an EV SSL protected Web sitecan be poisoned without the victim consciously browsing the site. Mike Zusman, principal consultant at Intrepidus Group, and independentsecurity researcher Alex Sotirov discovered the inherent flaw inbrowsers that allow rogue MITM servers to use a combination of SSLcertificates to manipulate client behavior and bypass securitymechanisms. The Extended Validation componentis indicated to users who see a green emblem near the URL on the browser, according to Rohyt Belani, CEO ofIntrepidus. SSL encrypted data is used by the banking industry, for example,for authentication services. The company provides information security services andsoftware.Įxtended Validation SSL technology identifies Web sites deemedsafe from malicious attacks by placing a green emblem next to the URLin the browser window. Intrepidus Group announced in mid-July research that shows a flaw inbrowser designs that allow a phishing attacker to silentlyMITM Extended Validation SSL-protected Websites. Theindustry is putting most of its efforts there.” The Discovery These represent 99.99 percent dominance of all attacks. The industry’s main focus is on mainstream phishing and malcodeattacks. Attacks for this vector are not yet in thewild. “They delve into the potential attacks of tomorrow so we can takesteps to prevent them. “These researchers specialize in advanced research on the cuttingedge,” Tim Callan, vicepresident of product marketing for Verisign, told TechNewsWorld. Thiscould place users of EV SSL-protected Web sites at risk from silent man-in-the-middle attacks (MITM). Two researchers recently uncovered what they contend is a serious flawin handling Extended Validation SSL in popular Web browsers. That seems to bethe case with a common browser flaw that allows attackers to silentlyexploit compromised SSL encrypted data.
However, even when researchers find a new potential vulnerability, productvendors are not always quick to respond with fixes. Meanwhile, security researchershunt for existing but unidentified infrastructure flaws that could letin the bad guys.
Network securityworkers concentrate on updating patches and making sure only validatedusers can access the corporate LAN (local area network). The security of any given computer system is no better than the skills researchersbring to finding the next potential program flaw.
0 kommentar(er)
