A pair of researchers are set to show how they can launch a man-in-the-middle
attack against a site that is deploying an extended-validation SSL certificate.
The attack, called “SSL Rebinding,” relies on a common web browser flaw that can be exploited to compromise data, even when the higher-assurance certificates are being used. The research is scheduled to be presented July 30 at the Black Hat conference in Las Vegas by Mike Zusman, principal consultant at Intrepidus Group, and independent security researcher Alex Sotirov.
EV SSL certificates, the idea of which was first unveiled in 2007 by the CA/Browser Forum
, a group of certification authorities and web browser software manufacturers, are more difficult to obtain since the requester is much more thoroughly vetted, Zusman told SCMagazineUS.com on Tuesday.
The advantage of EV SSL-certification is that when users log into the site, they see a green address bar in their browser, which is designed to ensure the information they type will go to the correct destination and also implies that the web session is being encrypted.
To carry out the new attack, a cybercriminal would have to obtain a traditional domain-validated (DV) SSL certificate from a certificate authority (CA), then use a rogue man-in-the-middle
server that uses certificate combinations to conduct an attack. Because web browsers treat DV and EV SSL certificates the same, the user would still see the green address bar when the attack was under way, but the attacker would be able to silently obtain login credentials without the user's knowledge.
“An attacker can use a DV SSL certificate to ‘man-in-the-middle' an EV-protected session, and because of this flaw in the browser, the user has no idea this is going on,” Zusman said.
The researchers plan to release a proof-of-concept proxy tool after Black Hat, Zusman said.
While this threat is real, it is a fairly complicated attack and would require the cybercriminal to obtain a trusted DV SSL certificate and for the attacker to become the “man-in-the-middle,” Zusman said.
Rohyt Belani, CEO of Intrepidus Group, told SCMagazineUS.com on Tuesday that many companies just tell their employees to look for the green address bar as a security measure, but instead should be making employees aware of the cybersecurity threats that are out there. To avoid this attack, users should avoid connecting to public Wi-Fi networks, which would make them more susceptible to man-in-the-middle-attacks, Belani said.
Tim Callan, vice president of product marketing at VeriSign, a leading provider of SSL certificates, told SCMagazineUS.com on Tuesday the attack is based on a problem with web browsers, so he is hoping that the browser manufacturers will fix the problem.
“We will ask and encourage the browser [manufacturers] to make them safer for consumers,” Callan said. "They are vigilant about making updates.”
In addition, Callan said that since the attack is technically sophisticated, users should be more worried about phishing
attacks, which are easier to carry out and much more common.