SSL Flaw by (Browser) Design?

A while ago, the two security “white hats” Alexander Sotirov and Mike Zusman announced that they are going to publish a tool for exploiting EV SSL secured sites at the Black Hat Security Conference at the end of this month. Some sites reported the alleged attack on EV SSL secured sites as a means to prove that Extended Validation (EV) digital certificates aren’t any more secure than regular SSL certificates. That’s obviously an interesting claim since EV certificates traditionally cost quite a lot more than those that don’t turn the address bar of the browsers green.

Our two “white hats” were carefully to point out that it’s actually not an attack on EV itself, but rather a flaw in design in the way browsers deploy SSL. Sotirov noted that “the main point of our research is not that it is possible to capture everything transmitted during an SSL session. It is that man-in-the-middle attacks against EV SSL certificates are possible if the attacker has a regular (non-EV) certificate for the same domain name.

Therefore the precondition for a successful attack on an EV secured site requires an attacker to obtain a “valid” regular certificate for the same domain name which is trusted by the browser. This shouldn’t be possible in first place - in this case it was rumored that the duo succeeded in obtaining a wild card certificate through the use of special characters and the way the certification authority understands the certificate signing requests. Additionally some browsers interpret the signed certificate in a way which makes spoofing of the web site possible.

But is it really an attack on EV SSL secured sites? Does it indicate that such web sites aren’t any more secure than others?

Extended Validation Browser Address Bar

By showing the green address bar in the browser, it’s reasonable to assume that visitors expect a higher trust. This clearly shows that browsers should not allow the mixing of EV and regular certificates within the same session and page(s) as is the case today. Apparently Opera is the only browser which has a feature that enables exactly this behavior by setting at opera:config the SecurityPrefs to StrictEVMode. But very unfortunately all other major browsers don’t have those capabilities at the moment.

It’s unclear if the browser vendors and the PKI industry moves forward now with an all EV requirement for such EV secured sites. Other ideas have been proposed such as a non-DV issuance policy when a site already acquired an EV certificate. But those ideas are harder to implement and may not be favorable by the EV certificate holders themselves. Really, why should a subscriber be limited to obtaining only EV certificates for a specific domain?

The major fault lies perhaps elsewhere - regular certificates must be robust enough to prevent MITM attacks. Efforts are under way by various CAs and the CAB Browser Forum to improve and guide the issuance of low-assurance certificates, a process which started even before the current efforts by Sotirov/Zusman. Incidentally also identity and organization validations outside of the EV context are looked at (at last) and a proposed secured version of the WHOIS protocol is also under consideration. The later - dubbed WHOISSEC - is relatively easy to implement and allows the bootstrapping of the domain validation in a secured manner. This will be beneficial for all types of SSL certificates.

In the meantime we are left guessing what kind of certificate was perhaps wrongfully issued and under which circumstances until its disclosure at the Black Hat conference. Nelson Bolyard, the lead developer of the NSS crypto module of Mozilla Firefox,  requested to see the bogus cert, so we can see who issued it and pull the plug on them until they straighten up their act. Lets see…

Information and Links

Join the fray by commenting, tracking what others have to say, or linking to it from your blog.

Other Posts
Who am I?
It’s all about the Moon

Write a Comment

Take a moment to comment and tell us what you think. Some basic HTML is allowed for formatting.

You must be logged in to post a comment. Click here to login.

Reader Comments

Excellent and illuminating write-up. I wonder, though, why all the press releases are touting this as an attack on “EV SSL” — I guess because it’s easier to blame CAs and security companies than browser developers, who don’t often draw the same kind of flack.

Then again, your point here is well taken: “regular certificates must be robust enough to prevent MITM attacks.” That’s part of the reason I think adopting EV SSL as industry standard is in general a good idea, but the demand for cheaper, regular DV certs continues for obvious reasons. With the appropriate fixes to WHOIS and browser handling, however, EV’s superiority might become a bit clearer.