Archive for July, 2009
23
Jul
Comments Off on Are EV SSL certificates insecure?
Are EV SSL certificates insecure?
Today Intrepidus Group reported that EV SSL certificates are susceptible to a “Man-in-the-Middle” attack.
Zusman and Sotirov call their attack “SSL Rebinding” and claim that it can be used to sniff sensitive data as it leaves the user’s browser or to conduct a browser cache poisoning attack against EV SSL Web sites.
This is a major blow to EV SSL certificates and their significantly higher price tag. Something like this is significant enough, that if you are using an EV SSL, it may be a good idea to downgrade until the exploit is fixed.