Two security researchers' assault on Extended Validation (EV) SSL certificates will continue later this month at the Black Hat Briefings. Alexander Sotirov and Mike Zusman, building on work presented in March at the CanSecWest 2009 security conference, are expected to demonstrate new attacks, including an offline hack that poisons a site protected by an EV certificate.
EV SSL certificates are supposed to offer an extra layer of protection for websites, in particular against phishing attacks. Sites protected with EV SSL encryption display the familiar green icon in the URL address bar. EV SSL certificates are more expensive than traditional SSL certificates (often by hundreds of dollars). They also require substantial vetting of the buyer up front, including, in most instances, articles of incorporation, a verifiable physical location, a designated corporate agent who must be validated, and proof the organization is not prohibited by some sort of government embargo from doing business with a certificate authority, among other requirements.
While EV SSL certificates can guarantee to a degree that a website visitor has indeed landed on a legitimate website, they cannot guarantee the security of the elements on the site. Sotirov and Zusman have proved this conclusively. Their research demonstrates that EV SSL-protected sites, once thought invulnerable to man-in-the-middle attacks, are indeed as susceptible to them as non-EV sites, largely because of a flaw in Web browsers' security models. The flaws are universal, Sotirov said.
EV SSL certificates:
SSL certificates won't stop phishers, researchers say: Two researchers call Extended Validation
(EV) SSL certificates a Band-Aid approach, and share their research of the phishing
VeriSign addresses MD5 flaw: VeriSign is moving completely to the new SHA-1 hash function to avoid a vulnerability affecting SSL certificates. Microsoft and Mozilla also weighed in on the problem.
"These are not code flaws, but design flaws in the way SSL is deployed," said Sotirov, who along with Mark Dowd, demonstrated browser attacks against Windows Vista at last year's Black Hat Briefings.
Sotirov and Zusman have worked with the major browser vendors on the security issues they've discovered, but this isn't an easy fix for Microsoft or Mozilla.
"Browsers were designed to use the one type of SSL cert we had previously. EV SSL was introduced in recent years, and shoehorned into the existing browser model," Sotirov said. "There's not enough separation between EV SSL and SSL sites. The browser sees both as the same thing internally; the only difference is the green color. Because of the supposed high security of EV, they need to be isolated much more strongly, but this is not the case."
Sotirov and Zusman said they can attack an EV SSL-protected site using a traditional and easy-to-obtain SSL certificate. Zusman explained that an attacker could intercept wireless traffic at a free and public Wi-Fi hotspot and poison the client's cache of an EV site using the non-EV certificate. Once the victim browses an EV-protected site, the browser, unable to differentiate between the two, will load the content from the poisoned cache as well. The victim will continue to see the green bar, but the EV session is nonetheless compromised. Zusman added that it is not required for the victim to browse the EV-protected site over the compromised network for the attack to succeed. The attacker can embed malicious code to launch the attack in any plain-text Web traffic, such as a Google search.
"With the right software, pretty much anyone can do it," Sotirov said. "All of these attacks can be done over public wireless networks, or even a hotel LAN. As far as I'm aware of, there isn't a nicely packaged attack yet that anyone can use. The software we released [at CanSecWest] wasn't very user friendly. But it doesn't require much technical sophistication on the part of the attacker. And as we know, with tools like Metasploit, that sophistication can quickly be transferred to end users."
Adding to the potential success ratio of these attacks is the willingness of users to accept that the green bar and/or padlock icon indicates a secure website. Zusman said the marketing material promoting EV SSL certificates promotes better security for websites.
"We all know it takes a lot more than SSL to make a website secure," Zusman said. "It's still a problem explaining to users what the green bar means, and getting them to notice it. And even if they do, they still have to make a decision about the transaction. EV SSL is a step in the right direction, but there are still a lot of challenges."
The biggest challenge lies with the browser makers. Zusman said one researcher at Mozilla is working on a proof-of-concept countermeasure that could get EV SSL certificates working in such a way that these attacks would not be possible. Microsoft, meanwhile, is also aware of the issue, and Zusman said they are still in the design stages of trying to figure out what to do.
"We outlined a couple of cracks in the [browser] security model; some of them were solved easily with trivial changes, but others have serious compatibility issues that would arise if you change the behavior of the browser," Sotirov said. "I'm not sure how browsers would address them without breaking the Web as it is now. It's important the browser vendors cooperate. We don't want Mozilla and Internet Explorer to deploy different solutions that would mean headaches for site operators."