|
VULNERABILITY OF FIRST-GENERATION DIGITAL CERTIFICATES Rev 1.1 AND POTENTIAL FOR PHISHING ATTACKS AND CONSUMER FRAUD I. Background Vulnerability of First-Generation vetted digital certificates and the potential for phishing attacks and consumer fraud increases. This is a result of flawed identity information contained within manually-vetted SSL certificates. Looking forward to the benefits of second generation automated vetting. II. Description Recently browser vendors have had discussions about making the traditional SSL lock symbol more apparent for consumers, and with this the display of information contained within the SSL certificate itself. While this type of initiative is important, especially to help consumers feel more comfortable conducting commerce, there are some serious concerns about what information may be displayed. The proposed information for display is the Organizational information contained within the SSL certificate, unfortunately this information is not intended to be unique, is easily obtained and misrepresented, and will result in a false sense of security for the consumer long term. Just this month a paper was released by GeoTrust, the worlds second largest Certification Authority. This paper describes the issue and how the first-generation vetting methods used in the industry when combined with these new browser modifications can in fact increase the amount of phishing resulting in higher fraud incidents for consumers. If a certificate is obtained using the first-generation vetting techniques discussed in the whitepaper, installed on a web site and is accessed by a consumer that has a browser supporting SSL Organizational information display the user can easily be deceived into believing the site belongs to an organization that it in fact does not. III. The Details Proof of concept URL: http://www.geotrust.com/resources/advisory/sslorg/index.htm Clicking on any of the three links in the above webpage using a browser that supports the display of SSL Organizational Information will show how easy a consumer could be fooled. The certificates installed on these web sites were obtained without misrepresentation and without falsifying documents and were received from multiple different CA’s. This is an example of how easy it is to obtain a first- generation vetted SSL certificate and how easy this could be used to deceive the consumer. Phishing attacks are the largest growing class of attacks on the internet today. Presenting certificate information like this when the process for obtaining these types of certificates is rather easy potentially opens up a large new whole for phishers to target. Browsers offering this support today include: - Opera 8 Beta 3 IV. Workaround An initial workaround for browsers wanting to display SSL certificate information to the consumer in combination with the universal lock symbol should consider displaying the Common Name (CN) field information alone or in conjunction with the issuing CA. The CN information is a common strong vetted component across all public certification authorities and is integral in making the SSL communications work seamlessly. Additional mechanisms of incorporating more information gathered from Trusted third parties is the next logical step which will allow consumers to see an established chain of touch point for the web site V. Publish Date April 12, 2005 - Public disclosure |