The security of any given computer system is no better than the skills researchersbring to finding the next potential program flaw. Network securityworkers concentrate on updating patches and making sure only validatedusers can access the corporate LAN (local area network). Meanwhile, security researchershunt for existing but unidentified infrastructure flaws that could letin the bad guys.
However, even when researchers find a new potential vulnerability, productvendors are not always quick to respond with fixes. That seems to bethe case with a common browser flaw that allows attackers to silentlyexploit compromised SSL encrypted data.
Two researchers recently uncovered what they contend is a serious flawin handling Extended Validation SSL in popular Web browsers. Thiscould place users of EV SSL-protected Web sites at risk from silentman-in-the-middle attacks (MITM).
“These researchers specialize in advanced research on the cuttingedge,” Tim Callan, vicepresident of product marketing for Verisign, told TechNewsWorld. “They delve into the potential attacks of tomorrow so we can takesteps to prevent them. Attacks for this vector are not yet in thewild. The industry’s main focus is on mainstream phishing and malcodeattacks. These represent 99.99 percent dominance of all attacks. Theindustry is putting most of its efforts there.”
Intrepidus Group announced in mid-July research that shows a flaw inbrowser designs that allow a phishing attacker to silentlyMITM Extended Validation SSL-protected Websites. The company provides information security services andsoftware.
Extended Validation SSL technology identifies Web sites deemedsafe from malicious attacks by placing a green emblem next to the URLin the browser window. SSL encrypted data is used by the banking industry, for example,for authentication services. The Extended Validation componentis indicated to users who see a green emblem near the URL on the browser, according to Rohyt Belani, CEO ofIntrepidus.
Mike Zusman, principal consultant at Intrepidus Group, and independentsecurity researcher Alex Sotirov discovered the inherent flaw inbrowsers that allow rogue MITM servers to use a combination of SSLcertificates to manipulate client behavior and bypass securitymechanisms. This type of attack is called “SSL Rebinding.”
A second type of SSL attack, known as “EV cache poisoning,” is apersistent attack wherein cached content of an EV SSL protected Web sitecan be poisoned without the victim consciously browsing the site.
“The mechanism used to secure conventional SSL is flawed. This is veryscary. People can dupe users into visiting phony sites to stealpersonal data,” Belani told TechNewsWorld.
Silver Bullet Tarnished
That green glow of EV SSL in the browser is often pitched asthe silver bullet to thwarting phishing attacks. The new findings suggest users cannottrust that warm and fuzzy feeling when they conduct e-commerceactivities with Web sites, said Belani.
“Our research shows that the green glow can be misleading and providea false sense of security. Employees and customers should be provideda holistic perspective on phishing to best train them to be resilientto this ever-growing threat,” he said.
Zusman and Sotirov presented the details of their research findingsduring the Back Hat conference lastmonth. To help mitigate potential phishing threats through the flawsthe researchers uncovered, Intrepidus Group enhanced its PhishMesoftware security product, said Belani.
No Known Victims
The exploit Zusman and Sotirov reportedhas not been used by attackers, according to Verisign’s Callan. Itsurfaced around the start of 2009.
The recent attention surrounding the Intrepidus Group’s announcementresulted from a poor understanding of the topic. There is ainaccurate perception that the weakness is new, Callan said.
Even so, “I’m not aware of any attacks through this exploit. This is notsomething that is being used to steal data today. It is nothing tofear going online for. There is no evidence that any harm has beendone yet by this,” he said.
A Potential Threat
Still, the EV SSL weakness is a matter to consider. Browser makers are workingon patching the reported flaw, Callan said.
“No doubt they will roll the fix into one of the upcoming browserupgrades. The barn door is still closed with the horses inside. Nowthey have to put on a lock for the door,” he said.
However, the Internet security industry is likely more focused on dealing with the1,000 new phishing attacks happening every day, he added.
“This is not an EV SSL flaw but a browser flaw,” Belani said. It is not browser-specific.”
Tough to Cure
Fixing the potentially broken browser vulnerability will not be easy,according to Belani. The flaw’s cross-platform characteristics affectall browsers.
“It’s not like flipping a switch to fix it. It will take a long, drawn-out process,” Belani said.
Vendors are still evaluating solutions, he noted.
Microsoft is aware of the Black Hat presentation but often regards such scenarios as somewhat contrived. The alleged threat is based on EV certificates failing to successfully mitigate againstman-in-the-middle attacks in which an attacker has acquired adomain validated (non-EV) certificate for a specific Web site,according to the Internet Explorer maker.
The scenario requires that an attacker obtain a digital certificatefrom an issuer trusted by the user under false pretenses and thenrequires the attacker to successfully levy a DNS hijacking attackagainst the user or be located on the same local network as the user,according to Microsoft’s explanation of the potential attack.
“The scenario does not present any known vulnerability in anyMicrosoft technology or service. The scenario as outlined can be usedby default against users using any browser that supports EVcertifications,” Sara Anissipour, spokesperson for Microsoft’s RapidResponse Team, told TechNewsWorld.
Extended Validation was developed to help prevent fraudulenttransactions using impostor Web sites set up to look very similar to actual corporateWeb sites. Its current implementation is effective against thesespecific attacks but is not designed to deal with attacks in which anattacker has a fraudulent domain-validated certificate for anactual corporate domain, Microsoft concluded.
Officials at Mozilla did not respond to TechNewsWorld’s inquiryabout the apparent security flaw.
Pick and Choose
“There are way too many potential threats to bolster defenses againstevery one of them. Especially with the economy the way it is,companies can’t afford to be overly protected against such things,”Ken Pappas, vice president of marketing and security strategist atcomputer security firm Top Layer Networks, told TechNewsWorld.
The browser flaw reported by Intrepidus Group couldvery well have the potential to become the next killer browser threat, he said.Microsoft is taking the position of seeing if anything happens, headded.
“Some researchers call such things ‘blue sky threats.’ I am confidentthat Microsoft will take action when it becomes more than a possiblethreat,” Pappas said.
He likened the decision to choosing how much health or life insurance one should pay for. How muchcoverage is enough? What is a safe level of insurance to have?