Man in the middle attack against Extended Validation protected Web sites

Two security researchers are presenting a man in the middle attack against Extended Validation (EV) protected websites through what they term “SSL Rebinding”.
The basic problem is that modern websites combines information from many sources simultaneously when providing services to users. The problem a browser faces is to decide when it is valid to show the Extended Validation protection level by the “green bar”, or similar UI distinction, when only part of the visible content is provided through an EV certificate protected TLS(SSL) session.
Some sites, such as PayPal provide part of the content through EV protected TLS while other parts are just protected using a Domain Validation (DV) certificate, but web browsers will still regard the whole session as EV protected.

The researchers claim to have found an attack that effectively exploits this and will present their result at the upcoming Black Hat conference.

EU Identity project turns its back on Information Card

The EU Commission funded project STORK announced during its second Industry Group Meeting, that they have decided on SAML 2.0 as protocol for its technical architecture.
The STORK project is the primary pilot project assigned by the EU commission to test cross border electronic identification between citizens and electronic services across Europe.

The first Industry Group Meeting resulted in feedback suggesting that the proposed architecture have potential vulnerabilities with respect to man in the middle attacks.
The combination of the solution to this problem and the selection of SAML 2.0 as the protocol of choice effectively prevents the use of the Information Card technology developed by the Industry during the past five years. The reason for this is that the Information Card model, which also use SAML assertions, uses WS-Trust as its primary exchange protocol and not pure SAML.

FIrst visual eID draft posted

The first IETF draft is posted:

The first draft is a result from an initial design process within the editorial team as well as discussions with partners and members of the CA Browser Forum.
This draft will initiate discussion in the PKIX WG whether to accept this as an adopted work item.

Visual eID Problem Statement posted

Based on input and discussions around the Visual eID project, I have written a problem statement which will be a living document for the project.
This document attempts to capture on a few pages, the basic problems and scenarios as well as the main reasons why this work is needed.

This living document is available

Comments and inputs are highly appreciated.

Visual eID submitted to ISSE 2009

The visual eID standards effort has been submitted to the Information Security Solutions Europe conference in Hague, October 2009.
The submitted abstract below provide some basic rationales and orientation:

Since the EU directive on electronic signatures was published in 1999, national certification authorities have issued millions of certificates and qualified certificate. But have you actually seen one?

It is a paradox, considering that development of standards for electronic identification using Public Key Cryptography has been going on for a bit over 20 years by now, that we still have no generic solution or standard for how to display a certificate based identity to a human being.


Strong editorial team for visual eID standard

During IETF last week in San Francisco we managed to form a really strong editorial team for the new visual eID standard.

This standard will make it possible to bind a visual representation of a certificate to its signature. More information about this project is available on my
Visual eID information page.

The editorial team:

Stefan Santesson, 3xA Security is lead editor as initiator and driver of this standards effort.

Russ Housley, Vigil Security. Russ is chairman of the Internet Engineering Task Force and was also co-editor of the original standard RFC 3709 on which this standards effort is based.

Siddharth Bajaj, VeriSign. VeriSign as the world leading provider of public certificates for web servers has been actively promoting a better UI experience for certificate based identification and authorisation. Siddharth has been actively involved with these efforts for almost a decade.

Leonard Rosenthol, Adobe. This standards effort was made possible much thanks to the standardisation of PDF in 2008. Leonard is the standards architect behind the development of an ETSI standard for PDF based Advanced Electronic Signatures (PAdES).

The work to write this standard will start immediately and a first draft will be published soon, no later than end of April.

Visual eID project presented at PKIX, March 23

On Monday March 23, I will present the standards mission of the Visual eID project at the PKIX meeting at the IETF 74 in San Francisco.

The presentation is available here

I’m currently looking for partners and sponsors for this project and for this purpose I have created a project information page at

Visual Electronic Identities

How can we provide applications with standard User Interface tools to display a meaningful representation of an electronic identity (eID)

All those Passwords

Passwords are a menace. A discussion I overheard between young students gave me reason to actually feel hopeful.