Risk
7/13/2009
04:37 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Researchers To Release Tool That Silently Hijacks EV SSL Sessions

Black Hat USA session will demonstrate new man-in-the middle attacks on Extended Validation SSL

If you think you're safe from man-in-the-middle (MITM) attacks as long as you're visiting an Extended Validation SSL (EV SSL) site, then think again: Researchers will release a new tool at Black Hat USA later this month that lets an attacker hack into a user's session on an EV SSL-secured site.

Mike Zusman and Alex Sotirov -- who in March first demonstrated possible MITM attacks on EV SSL at CanSecWest -- will release for the first time their proxy tool at the Las Vegas conference, as well as demonstrate variations on the attacks they have discovered. The Python-based tool can launch an attack even with the secure green badge displaying on the screen: "It doesn't alert the user that anything fishy is going on," says Zusman, principal consultant at Intrepidus.

All it takes is an attacker having a non-EV SSL certificate for a Website, and he or she can hijack any SSL session that connects to it. That's because the Web browser treats the EV SSL certificate with the same level of trust as an SSL domain-level certificate. "There's no differentiation between the two certs beyond the green badge," Zusman says. If an attacker has a valid domain-level certificate, he can spoof EV SSL connections and execute an MITM attack, with access and view of all sensitive data in the session -- all while the unsuspecting victim still sees that reassuring green badge displayed by his browser.

EV SSL sites display a green address bar when used with the newest versions of major Web browsers, and the bar bears the name of the Website's organization that owns the certificate, as well as the authority that issued it. The certificate shows the site is legitimate, and that the session is encrypted and secured.

"They're [Zusman and Sotirov] doing some novel and cool stuff to poke at the nonexistent security barrier. But it's not one [security barrier] that exists, because it's not one that can exist," says Dan Kaminsky, director of penetration testing for IOActive.

"The larger issue is why EV doesn't implement exclusive origins, [and] the answer is because such a change would be completely undeployable ... It's already a huge headache to get all of those sources to use SSL at all. If they all had to use EV SSL, there would quite literally be no sites of significance technically able to deploy the green bar -- and, thus, this defense against phishing wouldn't be on the market," he says.

Zusman and independent consultant Sotirov will demonstrate an attack using their Python-based tool against a popular ecommerce Website. "The proxy [tool] shows sensitive data the user wanted protected," Zusman says.

One possible attack scenario could be a bad guy setting up a rogue wireless access point at a caf or in an airport. Or he could target a bank and intercept traffic going to the bank's Website: "The user sees the green glow, but the attacker is a rogue proxy sniffing his credentials," Zusman says.

The attacker is basically downgrading EV SSL to standard SSL without the victim having a clue, the researchers say. These attacks are difficult to detect because the browser basically accepts the certificates the attacker sends it.

Zusman says the Firefox Perspectives plug-in, which basically validates that an SSL certificate was served up from the actual domain, can help. "The only way to detect this is if a user were to look at the certification being served up each time, paying attention to every connection the browser makes," he says.

Zusman is also working on a plug-in of his own that performs SSH-style whitelisting of public keys to ensure users don't get hit with MITM attacks. "[But] it's not ready for public consumption," he says.

Still, EV SSL has not been widely deployed as yet; as of March, more than 11,000 Websites were using EV SSL worldwide, which was about 1 percent of the 1.03 million sites already secured with SSL certificates, according to Netcraft. But one-fourth of all SSL certificates in the world's top 1,000 Websites were using EV SSL.

Calls for EV SSL adoption have intensified of late amid concerns of MITM attacks targeting newly discovered weaknesses in SSL, namely the MD5 encryption algorithm hack, which allows the creation of forged CA and X.509 digital certificates, and the MITM attack demonstrated at Black Hat DC, which basically makes users think they are visiting a secure Website when they are not.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2413
Published: 2014-10-20
Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php.

CVE-2012-5244
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to...

CVE-2012-5694
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allow remote attackers to execute arbitrary SQL commands via the (1) agentPhNo, (2) controlPhNo, (3) agentURLPath, (4) agentControlKey, or (5) platformDD1 parameter to frameworkgui/attach2Agents.p...

CVE-2012-5695
Published: 2014-10-20
Multiple cross-site request forgery (CSRF) vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allow remote attackers to hijack the authentication of administrators for requests that conduct (1) shell metacharacter or (2) SQL injection attacks or (3) send an SMS m...

CVE-2012-5696
Published: 2014-10-20
Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 does not properly restrict access to frameworkgui/config, which allows remote attackers to obtain the plaintext database password via a direct request.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.