In this post:
|
|
EV SSL - What is it?
Extended Validation or EV SSL Certificates are the newest, neatest iteration of encryption certificates that are intended to supply "enhanced security features". Secure Sockets Layer (SSL) certificates have been in use for years, it is the internet equivalent of a Notary Public that enables websites to encrypt their traffic using HTTPS instead of the standard HTTP. I covered the subject of SSL certificates in the entry I wrote in the Blackwell Encyclopedia of Management: Management Information Systems.
My friends over at SpiDynamics have written an excellent post on the subject, but in my opinion they are asking the wrong questions:
"With the explosion of phishing attacks and identify theft, a new form of SSL certificate is ready to hit the Internet. This new certificate is known as an Extended Validation (EV) SSL certificate and is designed "to provide users with a trustworthy confirmation of the identity of the entity that controls the website they are accessing". In addition to the confidentiality provided by traditional SSL certificates, EV SSL certificates also aim to instill trust in web users by validating the identity of the web site proprietor. Is this the silver bullet that we've been looking for or a wolf in sheep's clothing?"
I say EV SSL is a sheep in wolf's clothing. It looks good, but does it help anything?
Good Security v. Bad Security
When I teach classes on information security, I frequently ask the following question:
Which is better: good security, or bad security?
What about bad security that makes you feel good?
Good security costs a lot less money than the bad security that makes you feel good.
EV SSL is simply a technology that makes administrators feel good while doing nothing to increase actual security. As proof of this, Stanford University and Microsoft themselves conducted a study which concludes that EV SSL did not reduce the success rate of Phishing attacks, if anything, it actually increased the success of phishing attacks.
The article concludes with:
"New browser technologies such as extended validation have the potential to defend against fraud by identifying the source of the content displayed on the screen. In this paper, we presented a controlled between-subjects evaluation of the extended validation user interface in Internet Explorer 7. Unfortunately, participants who received no training in browser security features did not notice the extended validation indicator and did not outperform the control group. The participants who were asked to read the Internet Explorer help file were more likely to classify both real and fake sites as legitimate whenever the phishing warning did not appear."
The criminals are getting better
Online criminal gangs have figured out that our banks don't require us to "verify our information", and asking us to do so is an immediate cause for suspicion (although sometimes I wish the banks would ask me to verify, I would love to hear them ask: "Mr. Helgeson, we just had an error in our computer system, we need to verify your information and could you please tell us how much money you had in your checking account?").
In one example, spammers sent out notifications purporting to be from Bank of America stating "Your email address has been successfully changed." with standard marketing blather in the bottom of the message. Nothing suspicious like "Click Here to log in" or "if you did not perform this action, click here..."
If you followed any of the links in this message, it would take you to the official Bank of America site, encrypted with the real Bank of America certificate. The twist was the email link also caused a popup window to appear positioned just under the Bank of America URL. It appeared as if it were just 
part of the login web page. The popup page, hosted on the "Commercial Phisherman's" site, disclosed that some account holder information had been compromised and if you're concerned that you may be a victim, click here to send a message to customer support, or click here to begin the account recovery process.
I actually worked with Bank of America and the US Secret Service to close down five accounts that had been compromised by this method. The criminal was trying to sell me account details on five different bank accounts with over $150,000 on deposit for only $500. No Joke.
I was researching identity theft for a class I taught to state attorneys and magistrates. I was in an IRC chat room (which is now shut down) when "_dealer" approached me offering to sell the account information. When I asked him to verify that he actually had the accounts to sell, he sent the screen shot below.
Notice how:
- The URL, showing the criminal logged into the BoA account
- The date showing the user logged in (also notice the day/date in lower right corner of the window where it says "miercuri" which is Romanian for "Wednesday")
- The account balance
- The criminal is using a "Socks" proxy, which happened to be a compromised home computer system running an open socks proxy
I noted the IP address of the proxy he was using (not shown) and contacted BoA security. BoA searched the firewall logs for the OnlineEast portal for accounts that had been accessed from that proxy address and suspended their online access. Subsequently, the chat rooms were taken down which forced the criminals to use even more covert channels for communications.
In my opinion, EV SSL does nothing to counter the escalating sophistication used by the criminals, and does nothing to increase the security of the site. The problem is educating the users and EV SSL only further confuses the issue.
EV SSL certificates aren't going to change anything. At least, they won't change anything as long as crap like this keep working…
I completely agree, with criminals becoming more and more technically advanced, it's becoming harder to combat their threat. We definitely need to focus on educating users so they know what to watch out for.
Posted by: apache ssl certificate | January 28, 2011 at 06:34 AM