Researchers poke holes in EV SSL

Extended validation secure sockets layer, or EV SSL, has been trumpeted as the replacement for the venerable SSL standard. Previously, EV SSL certificates were believed to be immune to man-in-the-middle (MITM) attacks, in which a malicious party in a position to intercept data packets manipulates it. At last week's CanSecWest security conference though, independent researchers Alexander Sotirov and Mike Zusman were able to demonstrate that the more expensive EV SSL certificates are not impervious to MITM attacks either.

Design flaws in browsers proved to be the undoing for this new certificate, making it possible to execute a MITM attack and still have the browsers show a green bar that tells users that they are protected. Still, Sotirov thinks EV SSL certificates are valuable, if only for the presence of the requisite additional vetting. However, until browsers work out a way to distinguish between the two types of certificates, there can be no guarantees.

For more on this story:
- check out this article at The Register

Related Articles:
Researchers demonstrate more physical ways to spy on keystrokes
Just launched IE 8 successfully hacked
$10,000 cash prize for smartphone hacks