Feeds

Will EV SSL stop phishing attacks? Probably not

Green means good very little

Beginner's guide to SSL certificates

Security vendors like VeriSign consider a new technology called EV SSL an important measure against phishing attacks. But two recent items suggest it will do little to stop skilled conmen from spoofing trusted websites.

Exhibit A was this post from network services company Netcraft, which documents a recently discovered cross-site scripting error on the popular open source website SourceForge. The gaping hole allowed unauthorized data to be injected into the website, opening up a new browser window.

It just so happens that SourceForge is one of the 5,000 or so websites using EV SSL, which is short for Extended Verification Secure Sockets Layer. It works just like plain-vanilla SSL except that it requires website operators to take additional steps to verify their identity before receiving an electronic certificate.

Sites that use the technology show up in green in a browser's address bar. They're designed to give users additional confidence that the site is not an impostor under the control of bad guys.

And yet, as the SourceForge goof made clear, there's no guarantee at all that sites showing up green aren't under the control of unauthorized parties. A cross-site scripting error on the right site can prove a bonanza to phishers because it allows them to inject rogue content into a trusted site - for instance a dialog box that instructs the visitor to enter his login credentials. The concern is the green bar will cause end users to drop their guard by giving them a false sense of security.

Exhibit B came in the form of a recently released survey by NetBenefit that finds 70 per cent of UK online shoppers don't understand what a green browser bar is anyway.

Not that everyone is convinced EV SSL is a waste. According to this article from Network World, the lack of support for EV SSL is one reason PayPal is recommending its users steer clear of Apple's Safari browser. It reports that people using EV SSL are more likely to actually log in to PayPal than those who don't, presumably because they have greater confidence.

Still, it's not clear exactly what problem EV SSL is supposed to solve. While it's theoretically possible for phishing sites to use SSL, reports of SSL-protected sites spoofing PayPal or other sensitive websites are rare, if not nonexistent. We think we'll wait out the the rush to acquire extended certificates for the time being. ®

Beginner's guide to SSL certificates

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Internet Security Threat Report 2014
An overview and analysis of the year in global threat activity: identify, analyze, and provide commentary on emerging trends in the dynamic threat landscape.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.