Is There a Dark Cloud Over SSL's Green Glow?

The security of any given computer system is no better than the skills researchers bring to finding the next potential program flaw. Network security workers concentrate on updating patches and making sure only validated users can access the corporate LAN (local area network). Meanwhile, security researchers hunt for existing but unidentified infrastructure flaws that could let in the bad guys.

However, even when researchers find a new potential vulnerability, product vendors are not always quick to respond with fixes. That seems to be the case with a common browser flaw that allows attackers to silently exploit compromised SSL encrypted data.

Two researchers recently uncovered what they contend is a serious flaw in handling Extended Validation SSL in popular Web browsers. This could place users of EV SSL-protected Web sites at risk from silent man-in-the-middle attacks (MITM).

"These researchers specialize in advanced research on the cutting edge," Tim Callan, vice president of product marketing for Verisign, told TechNewsWorld. "They delve into the potential attacks of tomorrow so we can take steps to prevent them. Attacks for this vector are not yet in the wild. The industry's main focus is on mainstream phishing and malcode attacks. These represent 99.99 percent dominance of all attacks. The industry is putting most of its efforts there."

The Discovery

Intrepidus Group announced in mid-July research that shows a flaw in browser designs that allow a phishing attacker to silently MITM Extended Validation SSL-protected Web sites. The company provides information security services and software.

Extended Validation SSL technology identifies Web sites deemed safe from malicious attacks by placing a green emblem next to the URL in the browser window. SSL encrypted data is used by the banking industry, for example, for authentication services. The Extended Validation component is indicated to users who see a green emblem near the URL on the browser, according to Rohyt Belani, CEO of Intrepidus.

Mike Zusman, principal consultant at Intrepidus Group, and independent security researcher Alex Sotirov discovered the inherent flaw in browsers that allow rogue MITM servers to use a combination of SSL certificates to manipulate client behavior and bypass security mechanisms. This type of attack is called "SSL Rebinding."

A second type of SSL attack, known as "EV cache poisoning," is a persistent attack wherein cached content of an EV SSL protected Web site can be poisoned without the victim consciously browsing the site.

"The mechanism used to secure conventional SSL is flawed. This is very scary. People can dupe users into visiting phony sites to steal personal data," Belani told TechNewsWorld.

Silver Bullet Tarnished

That green glow of EV SSL in the browser is often pitched as the silver bullet to thwarting phishing attacks. The new findings suggest users cannot trust that warm and fuzzy feeling when they conduct e-commerce activities with Web sites, said Belani.

"Our research shows that the green glow can be misleading and provide a false sense of security. Employees and customers should be provided a holistic perspective on phishing to best train them to be resilient to this ever-growing threat," he said.

Zusman and Sotirov presented the details of their research findings during the Back Hat conference last month. To help mitigate potential phishing threats through the flaws the researchers uncovered, Intrepidus Group enhanced its PhishMe software security product, said Belani.

No Known Victims

The exploit Zusman and Sotirov reported has not been used by attackers, according to Verisign's Callan. It surfaced around the start of 2009.

The recent attention surrounding the Intrepidus Group's announcement resulted from a poor understanding of the topic. There is a inaccurate perception that the weakness is new, Callan said.

Even so, "I'm not aware of any attacks through this exploit. This is not something that is being used to steal data today. It is nothing to fear going online for. There is no evidence that any harm has been done yet by this," he said.

A Potential Threat

Still, the EV SSL weakness is a matter to consider. Browser makers are working on patching the reported flaw, Callan said.

"No doubt they will roll the fix into one of the upcoming browser upgrades. The barn door is still closed with the horses inside. Now they have to put on a lock for the door," he said.

However, the Internet security industry is likely more focused on dealing with the 1,000 new phishing attacks happening every day, he added.

"This is not an EV SSL flaw but a browser flaw," Belani said. It is not browser-specific."

Tough to Cure

Fixing the potentially broken browser vulnerability will not be easy, according to Belani. The flaw's cross-platform characteristics affect all browsers.

"It's not like flipping a switch to fix it. It will take a long, drawn-out process," Belani said.

Vendors are still evaluating solutions, he noted.

Redwood's Response

Microsoft (Nasdaq: MSFT) is aware of the Black Hat presentation but often regards such scenarios as somewhat contrived. The alleged threat is based on EV certificates failing to successfully mitigate against man-in-the-middle attacks in which an attacker has acquired a domain validated (non-EV) certificate for a specific Web site, according to the Internet Explorer maker.

The scenario requires that an attacker obtain a digital certificate from an issuer trusted by the user under false pretenses and then requires the attacker to successfully levy a DNS hijacking attack against the user or be located on the same local network as the user, according to Microsoft's explanation of the potential attack.

"The scenario does not present any known vulnerability in any Microsoft technology or service. The scenario as outlined can be used by default against users using any browser that supports EV certifications," Sara Anissipour, spokesperson for Microsoft's Rapid Response Team, told TechNewsWorld.

Extended Validation was developed to help prevent fraudulent transactions using impostor Web sites set up to look very similar to actual corporate Web sites. Its current implementation is effective against these specific attacks but is not designed to deal with attacks in which an attacker has a fraudulent domain-validated certificate for an actual corporate domain, Microsoft concluded.

Officials at Mozilla did not respond to TechNewsWorld's inquiry about the apparent security flaw.

Pick and Choose

"There are way too many potential threats to bolster defenses against every one of them. Especially with the economy the way it is, companies can't afford to be overly protected against such things," Ken Pappas, vice president of marketing and security strategist at computer security firm Top Layer Networks, told TechNewsWorld.

The browser flaw reported by Intrepidus Group could very well have the potential to become the next killer browser threat, he said. Microsoft is taking the position of seeing if anything happens, he added.

"Some researchers call such things 'blue sky threats.' I am confident that Microsoft will take action when it becomes more than a possible threat," Pappas said.

He likened the decision to choosing how much health or life insurance one should pay for. How much coverage is enough? What is a safe level of insurance to have?