Researchers Uncover Serious Flaw in Handling of Extended Validation SSL by Popular Browsers

PRLog (Press Release) - Jul 21, 2009 -
New York, NY. – Intrepidus Group, a leading provider of information security services and software, today announced research that shows new short comings in browser designs that allow an attacker to silently “Man-In-The-Middle” (MITM) Extended Validation (EV) SSL-protected websites. Users of sites that appear to be secure through the “glow” of their green badge, have been found to be at risk of malicious attacks.

Research conducted by Mike Zusman, principal consultant at Intrepidus Group, and independent security researcher Alex Sotirov shows that a common web browser design flaw can be exploited to compromise SSL encrypted data, even when the user sees the green badge of EV SSL. The researchers have devised a new attack, called SSL Rebinding, which exploits this flaw to sniff sensitive data as it leaves the browser. Zusman and Sotirov have also demonstrated that the same flaw can be leveraged to launch browser cache poisoning attacks against EV SSL protected web sites. Both attacks can cause significant exposure and silently expose “encrypted” sessions protected by an EV SSL certificate.

o SSL Rebinding is an attack against an SSL involving a rogue MITM server which uses a combination of SSL certificates to manipulate client behavior and bypass security mechanisms.

o EV Cache Poisoning is a persistent attack, where cached content of an EV SSL protected web site can be poisoned without the victim consciously browsing the site.

“Verifying the “green glow” of EV SSL in the browser has often been pitched as the silver bullet to thwarting phishing attacks,” said Rohyt Belani, CEO of Intrepidus Group. “Our research shows that the green glow can be misleading and provide a false sense of security. Employees and customers should be provided a holistic perspective on phishing to best train them to be resilient to this ever-growing threat.”

Zusman and Sotirov will present the details of their research findings during the Back Hat USA 2009 Briefings & Training conference. Intrepidus Group has also enhanced its PhishMe solution to empower individuals to identify these attacks and protect themselves from cybercrime exposure.

Black Hat USA 2009 Briefings & Training Presentation
Mike Zusman and Alexander Sotirov will be sharing details of this new research on EV SSL Attacks during the Back Hat USA 2009 Briefings & Training conference, at Caesar’s Palace in Las Vegas, Nev. Their session will be held on “Day 2,” July 30, 2009 in the “//random” track from 3:15 to 4:30 p.m.

About PhishMe
PhishMe is a software-as-a-service (SaaS) solution designed to help prevent damage, theft and loss caused by targeted (spear) phishing attacks. PhishMe facilitates and automates the execution of mock phishing exercises against employees, provides clear and accurate reporting on user behavior, and most importantly provides instant, targeted employee training. This method of delivering training materials is recommended by SANS and found to be most effective by researchers at Carnegie Mellon University.

About Intrepidus
Intrepidus Group is a leading provider of information security consulting services and software solutions. With offices in New York City and the Washington DC metro area, the company offers innovative solutions to help clients build employee awareness around common information security issues. Intrepidus Group’s consultants also conduct hands-on assessments of critical applications, networks and products to uncover vulnerabilities, and provide strategic and tactical recommendations to address identified issues. Intrepidus Group One Penn Plaza, Suite 6180, New York, New York 10119
intrepidusgroup.com

END

PhishMe.com is a registered trademark of Intrepidus Group. All other product and company names herein are or may be trademarks of their respective owners.