Video Screencast Help
Website Security Solutions
Showing posts tagged with Extended Validation SSL
Showing posts in English
Tim Callan | 07 Oct 2009 | 0 comments

There's a lot going on this week. We've seen the widespread publicity of the theft of free e-mail accounts across a broad range of webmail providers. And at the same time we've seen the first detected instance of a null character attack in the wild. This story is still ongoing, the latest development being that PayPal has shut off the account of the researcher who created the null character certificate being used in this attack.

The connection between these two events is the ongoing need for knowledge of authentic identity and the role of...

Tim Callan | 29 Jul 2009 | 6 comments

Greetings from Las Vegas. Today we saw two presentations regarding attacks that affect the world of SSL. I'll give you a capsule summary of each and tell you how VeriSign certificates fit in. Lest this post become a tome, the summaries will have to be oversimplified. I'll strive to represent the subjects as accurately as I can.

First up was Moxie Marlinspike, detailing the latest additions to his sslstrip tool. The focus of this presentation was various ways to use null characters to fool browsers and other pieces of relying software into believing a certificate has been issued to a different domain than the one to which is was actually issued. The idea is that the attack would give the online criminal the ability to put up a certificate on what appears to be the exact same domain name as the targeted site. sslstrip accomplishes this feat through a Man-in-the-Middle attack and uses the null-character certificate to create its false certificates on the fly.

I'm...

Tim Callan | 15 Jul 2009 | 9 comments

We're seeing active discussion online about the possibility of hijacking a single frame in a production site to steal logins or PII. The scenario is that a criminal gang would redirect this frame (through DNS poisoning, let's say) and populate it with its own content from servers under its control. Presumably this content would involve form fields asking for information the criminals want to receive and which you would be willing to share in this context (such as your bank account login or social security number).

Now, the recent dialog is around the scenario where this proposed attack happens on a site with an Extended Validation SSL Certificate. The certificate identifies the controller of the top-level frame and does not report on the sources of any internal frames in that page. That is in keeping with near-ubiquitous practices in consumer...

Tim Callan | 02 Jul 2009 | 1 comment

Hi folks. Sorry for the lack of posts lately. I've been slammed.

Writing today because Firefox 3.5 has broken the download record for a new browser version with over 8 million downloads in a single day. One subject that has been the source online discussion is the fact that the EV certificates for a series of SSL brands (four that I know of) have stopped showing up green in Firefox 3.5.

You can be assured that this problem does not happen with the EV SSL Certificates from VeriSign, thawte, or GeoTrust.

Tim Callan | 16 Apr 2009 | 0 comments

Here's today's press release about the near-ubiquity of Extended Validation SSL among Japanese banking institutions.

Tim Callan | 04 Apr 2009 | 0 comments

I've been waiting for it to happen, and here we are. Apple officially wins the smartphone race for Extended Validation SSL support. That's because Mobile Safari now has Extended Validation SSL support. On the heels of Internet Explorer's adoption of EV support in January 2007, the desktop saw a wave of browsers adding in support. With over 60% of mobile browser usage, iPhone is the pacesetter in this market. I hope Apple has broken the ice for mobile devices to do the same thing.

Tim Callan | 03 Apr 2009 | 1 comment

With the release of Safari 4 and the ongoing adoption of current versions of other browsers, the number of client systems using EV-compatible browsers has exceeded 75%.

Tim Callan | 17 Mar 2009 | 0 comments

I've written in the past about how phishers and other online scammers are attaching themselves to topical items like tax season and holiday shopping. Well, now it looks like March Madness is the latest victim.

That makes all the sense in the world. These fraudsters are trying to trick Internet users into giving away information or giving malware access to their systems. Originally it was a matter of spoofing someone's PayPal or bank account. As the users have gotten wiser (although these workhorse counterfeits are still happening in huge numbers) the attackers have constantly sought green fields. One consistent technique is to take the prospective victim out of the context in which he is looking for a scam. Your bank account is too suspicious? No problem. How about your utility bill or your favorite e-commerce site or your wireless phone...

Tim Callan | 12 Mar 2009 | 0 comments

That's right. There is an entire continent on which 100% of the Internet browsers are EV SSL compatible. What's the continent? Antarctica, of course.