Wednesday, July 8, 2009

EV SSL Encryption Is Safe! "Yeah...Right!"

I posted many times that a web browser is not safe. "Especially" not safe for financial transactions. I've also posted that there was less of a risk that your cardholder data would be stolen if you "typed" your credit/debit card number in a box 2 years ago than there is today.  Tomorrow will see even more risk than today. 

That being the case, how well will we prepared for what "tomorrow" brings?

I stand firm, and I stand tall in my belief that a web browser WAS NOT/IS NOT designed for eCommerce.  Therefore financial transactions MUST be done outside the browser space.

 

Much to my chagrin,  some industry "experts" callously (in my opinion) disagree and argue that it is in fact safe to type credit/debit card numbers into a box at a merchant website. (after all, we all need convenience, right?)

I've even read where they try and back it up with statements such as:
  "Oh, if you go to a site with where it says: "https://, the "s" stands for "secure" and that means the web page you are on is "definitely" safe.

Two words: "Yeah...Right...." (See "https = httBS")


Or I've heard these "experts" quoted as saying
"Those "SSL certificates" are great, they definitely tell you that the web page you are visiting is protected by "secure socket layers" and that means for sure you are safe!

Two Words: "Yeah...Right..." (See
: "99% of SSL Secure Websites Are Not")

Then I've read where these "so-called experts" say
"We need websites to move over to the "more secure" gran-daddy of them all... EV SSL digital certficates!   A website that implements Extended Valuation SSL is even "safer than safe!"  It's the "safest!" 

Here's more on them "gushing" about the security of EV SSL...


Extended Validation (EV) SSL is considered by all to be more secure than SSL: Calls for widespread EV SSL implementation are on the rise as SSL threats increase. Two years after its rollout, the "more secure" Extended Validation
Secure Sockets Layer (EV SSL) digital certificate for authenticating Websites and securing Web sessions is used on more than 11,000 Websites worldwide."

"Calls for EV SSL adoption have intensified amid concerns of new man-in-the-middle (MITM) attacks targeting newly discovered weaknesses in SSL, namely the
MD5 encryption algorithm hack that allows the creation of forged CAX.509 digital certificates, and the MITM attack demonstrated at Black Hat DC that basically makes users think they are visiting a secure Website when they are not. "


Cool, EV SSL sounds great. So go ahead... if you see a website "protected" by EV SSL, then by all means, listen to the experts, because, after all...they know best. Their "analysis" should give you confidence to feel free to type your credit/debit card numbers into EV SSL protected websites. No worries!   
Wow, yeah, sounds great, that's the ticket! When will all the websites move to EV SSL, because EV SSL "really guarantees" a safe environment!   But before they do, I have just...

Two Words: (besides "Caveat Emptor")
"Yeah, Right!"  (see below)

Researchers to demonstrate new EV SSL man-in-the-middle hacks


Twosecurity researchers' assault on Extended Validation (EV) SSLcertificates will continue next month at the Black Hat Briefings.Alexander Sotirov and Mike Zusman, building on work presented in Marchat the CanSecWest 2009 security conference, are expected to demonstratenew attacks, including an offline hack that poisons a site protected byan EV certificate

EV SSL certificates are supposed  to offer an extra layer ofprotection for websites.

Sites protected with EV SSL encryption display the familiar green icon in the URL address bar. EV SSL certificates are more expensive than traditional SSL certificates(often by hundreds of dollars).

They also require substantial vetting of the buyer up front, including, in most instances, articles of incorporation, a verifiable physical location, a designated corporate agent who must be validated, and proof the organization is not prohibited by some sort of government embargo from doing business with a certificate authority, among other requirements.

While EV SSL certificates can guarantee to a degree that awebsite visitor has indeed landed on a legitimate website, they cannot guarantee the security of the elements on the site. Sotirov and Zusman have proved this conclusively.

Their research demonstrates that EVSSL-protected sites, once thought invulnerable to man-in-the-middle attacks, are indeed as susceptible to them as non-EV sites, largely because of a flaw in Web browsers' security models..

The flaws are universal,
Sotirov said.

Editor's Note: Wait a minute, did they say "once thought invulnerable" followed by "susceptible" and then admitted there is a universal "flaw in Web Browser's security models?" 

Does that mean it's NOT okay to Enter/Type your credit/debit card numbers into a browser?  No matter what?  Even if they say it's safe?   Wow...who would of imagined? 
Next thing ya know, there will be a report that analyzes alternative payments and concludes it's safe to "mouse click" PIN numbers into a web browser. Yeah...Right!


Continue Reading the EV SSL Man in the Middle Attack Susceptibility Article











Reblog this post [with Zemanta]

Disqus for ePayment News