Now Hijacking EV-SSL

Close to the heels of SSL hijcking by Mozie in BlackHat last year, yet another attack on the SSL. This time on EV-SSL (Exteneded Validation-SSL). Mike Zusman and Alex Sotirov are releasing a pyhton based tool to hijack EV-SSL.The Python-based tool can launch an attack even with the secure green badge displaying on the screen.

All it takes is an attacker having a non-EV SSL certificate for a Website, and he or she can hijack any SSL session that connects to it. That's because the Web browser treats the EV SSL certificate with the same level of trust as an SSL domain-level certificate.

EV SSL sites display a green address bar when used with the newest versions of major Web browsers, and the bar bears the name of the Website's organization that owns the certificate, as well as the authority that issued it. The certificate shows the site is legitimate, and that the session is encrypted and secured.

Calls for EV SSL adoption have intensified of late amid concerns of MITM attacks targeting newly discovered weaknesses in SSL, namely the MD5 encryption algorithm hack, which allows the creation of forged CA and X.509 digital certificates, and the MITM attack demonstrated at Black Hat DC, which basically makes users think they are visiting a secure Website when they are not.

My experiment using Moxie's tool can be read on my last post about Hijacking SSL


EV SSL said…
An extended validation or EV SSL certificate lets a website’s visitors know that it is secure. The green color shown in the address bar, similar to the green color shown on a traffic light, indicates that the visitor can safely proceed when performing a monetary transaction.

Popular posts from this blog

SQL Injection in search field

File Upload through Null Byte Injection