back to article Researchers poke holes in super duper SSL

Websites that use an enhanced form of digital authentication remain just as vulnerable to a common form of spoofing attack as those that use less costly certificates, two researchers have found. Previously, so-called extended validation secure sockets layer certificates (or EV SSL) were believed to be immune to man-in-the- …

COMMENTS

This topic is closed for new posts.
  1. Flocke Kroes Silver badge

    Another attack that requires javascript

    I just turn off all javascript. Most sites work tolerably without it, and the good ones work well without it. If that is too radical for you, at least turn off javascript for your bank and any other site that asks for your credit card number. If the site stops working, go to a competitor - plenty of commerce sites work fine without javascript. Remember to turn off flash while you are at it.

  2. Anonymous Coward
    Coat

    I've always said ...

    I've always said that the certificate should say how much it cost: I'd be more willing to trust a web site that had paid tens of thousands of dollars for its certificate than one that had a cheap $10 job.

    And if browsers could be more discriminating and not accept cheap certificates ...

    OK, I'll get my coat.

  3. D. M

    Another JS problem

    So really, it is another Javascript issue. Sadly, lots of site requires JS to be enabled.

  4. Del Merritt
    Pirate

    google-analytics

    And who here tells NoScript to allow google-analytics? Not I.

  5. Martin Silver badge

    @I've always said ...

    >I'd be more willing to trust a web site that had paid tens of thousands of dollars.

    Like you would trust AIGwith your savings but not a local building society.

  6. Mike Silver badge

    don't blame javascript

    javascript was mentioned as an example, but if you can inject javascript then you can make other non-javascript changes as well... it's not a fault with javascript, but with the browser allowing mixed certificates and displaying the status of the "most trusted" one, rather than the "least trusted" which would probably be the correct way to deal with it

    as for being anti cheap certs... what if i want SSL on my small website? i can't without forking out a small fortune - yeah, good on you for sticking it to the man! this TAX on the use of encryption is just stupid.

    have 2 types of certificate,

    1. cheap/free certificate which has basic anti-spoof checks (ie. send email to the contact for the domain in whois + automated check for a random file which you need to put on the website - proves you have control over the real site and therefore it's OK to give you a certificate), this allows encryption to be used low cost/free by anyone who wants to with basic protection from someone spoofing it

    2. extended validation with the green bar where they are required to do *real* background checks to validate you are who you say you are, and therefore charge appropriately, for large organisations needing to prove their identity as well as use encryption (ie. banks, online shopping, etc)

    we're sort of moving in that direction except apparently the browsers allow mixed types and display it as the second type, when they should display mixed types as being like the lowest form, and also the normal non-verified certificates are still expensive considering they don't actually do anything for your money except run a program to sign it!

  7. Anonymous Coward
    Flame

    Certifcates

    So basically an EV certificate grants you no more protection than the cheapest cert you can find?

    From my understanding it does not just affect Javascript, any submitted forms could be intercepted using the plain certificate as well, and you could probably convince the browser to resubmit the post request and send it to the real site as well. The browser would keep the green bar at the top all the while someone is siphoning off your details.

    EV is/was always a joke and just a way for the few who hold trusted root CAs to print more money.

    There are a number of trivial ways to check that someone owns a domain, added a specific DNS text record with some shared key to prove you own the domain for instance. I don't claim it's secure, though it's obviously more foolproof than the methods used by some CAs judging from how easy it is to get a certificate for a site you don't control.

  8. James

    Price != quality

    I dislike the assumption that price and quality are linked; I'm sure a Russian gang of criminals would be quite happy to invest the price of a good car in getting a certificate which allowed them to steal millions in a banking scam. I'd far rather have a $10 - or free - certificate which is properly vetted, ideally by someone trustworthy and neutral (LINX? VISA? IANA?) rather than have big wads of cash changing hands, which seems to me like an incentive for dodgy companies try cashing in or regular companies to try cutting corners.

  9. Anonymous Coward
    Paris Hilton

    details...

    "design flaws in most browsers"

    If it's in MOST browsers, that implies that there is at least one that handles it properly... care to let us know which browser is safe?

    As for sites that include google analytics etc on an EV-SSL page, deserve to not show the green bar - they're voluntarily including third party javascript on their supposedly secure page - I certainly don't trust anyone that much, let alone an ad-broker such as goggle.

    Anyway, I didn't think anyone actually paid attention to the green bar - it's just a way for the CAs to make more money.

    As to the person above who said they'd trust a $10000 cert more than a $10 one: So you're more prepared to give your money to a company that'll waste it than one that'll use it for good? In that case I have access to $100b (one hundred billion US dollars) which I need your urgent assistance to transfer to your country; You will be rewarded with 1% of the total amount; I just need a $10000 payment upfront to get the paperwork moving.

  10. Olivier
    Unhappy

    mixed content

    The issue with mixed-ssl on a page is, IMHO, worse than described here:

    Even if google used EV certificates for google analytics, there should be no reason for the browser to assure the whole page is "extendly validated" for the site on which it is installed ( of course the site needs EV ssl anyway ). THe browser should at least display the list of of certifcates, EV or not, contained in the page.

    What would make sense is a feature on the browser which would block all third party content on an EV ssl page, and display the green bar only in this case.

    This is currently the behavior for IE with the "ssl lock": if one component in the page is not ssl'ed, the lock is broken (which IS correct behavior ).

  11. Pierre

    EV scam

    2- Internet was designed for reliability, not security. But some lazy people wanted to send sensitive info down "public" wires without vpn.

    2- SSL was therefore created. It was somewhat secure because having a certificate meant some checks had been performed. It was never 100% secure, but acceptable for most uses.

    3- greedy bstrds decided that they could (and therefore should) issue "cheap" certificates by the billion, no question asked (that's offer and demand folks), undermining the whole thing.

    4- other greedy bstrds offer "enhanced" SSL, meaning that you can buy for a hefty premium what standard SSL certs were supposed to be in the first place.

    4b- except that they don't tell you that the basic undermining of SSL certs renders the costly "enhanced" stuff as insecure as the standard ones.

    5- (soon to come) Greedy bstrds decide that they can (and therefore should) issue "moderately cheap" enhanced certificates by the billion, no question asked

    6- in a few years, apparition of "enhanced EV SSL" certs, costing an arm and a leg, doing what old 1st gen SSL certificates were supposed to do.

    6b- see 4b

    7- repeat ad nauseam.

    Now why vpn are so seldomly used is beyond my conprehension skills.

  12. Ru
    Flame

    Re: why vpn are so seldomly used

    Only you have to have the same sort of public key cryptography to show you that the VPN you are connecting to is the one it claims to be and not a fraudulent site, so the problem comes round again.

    So your VPN suggestion is totally irrelevant for internet commerce which relies utterly on a trusted third party to verify identities.

    Those trusted third parties have proven that they are anything but trustworthy; this is the major weak point not the underlying implementation.

    Why have their CA certificates not been revoked?

    The whole EV-SSL notion infuriates me. How dare these semicompetent organisations charge an order of magntitude more to do the job they were always supposed to be doing?

  13. Anonymous Coward
    Boffin

    SSL cannot be trusted anymore

    I have already disabled most CAs in my browser, you might notice that almost all online banks use VeriSign certificates, as that's one of the few CA's that still trustworthy.

    Also read up on Microdasys SCIP (http://www.microdasys.com/).

    This is a product that does a MITM attack for all SSL trafic on the gateway it's installed on (typically in company networks), it does this without creating brower warnings so it must contain itself a certificate from a CA trusted by any browser, that delegates it to act as a CA itself.

    It basically routinely creates fake certificates for any website, now if Microdasys was able to do this in a commercial product, it's only a matter of time before criminals figure out how to do this too, and then SSL will be effectively dead.

  14. Jim

    Google get outa my banking site!

    Google analytics should not be on a site that requires EV SSL. Its a security disaster waiting to happen if it is.

  15. Andraž Levstik

    @Mike

    Already exists a free CA... that does exactly that. And it requires you to have one of a few standard email accounts on that domain.

    http://www.cacert.org

  16. Pierre

    @ Ru about VPN

    "Only you have to have the same sort of public key cryptography to show you that the VPN you are connecting to is the one it claims to be and not a fraudulent site, so the problem comes round again. So your VPN suggestion is totally irrelevant for internet commerce which relies utterly on a trusted third party to verify identities."

    Please explain why my bank cannot issue me with VPN login creds? No reason? That's what I thought. Maybe a tiny bit relevant then.

    Of course it won't work with ebay's current operational methods, but I could get a reference number (account or whatever) and pay that from my bank's website, much like I do with my 'leccy and tawubs bills.

    Internet commerce relies on untrusted 3rd parties because they choose to, not because it's the only way.

  17. DR

    google analytics

    Oh, boo hoo...

    so you won't be able to get analytics code at your checkout pages etc?

    to be honest, your store doesn't need SSL just the checkout part where the contents of your basket are checked and paid for.

    and you don't need analytics code there (at checkout) since everyone who gets there will have already been on your previous pages.

    AND.. if you do require the kind of information that the analytics code gives, then write it yourself, and host it yourself on your secure pages

This topic is closed for new posts.

Other stories you might like