Jul 2009
Man in the middle attack against Extended Validation protected Web sites
2009-Jul-15 23:27 Filed in:All | Authentication
Two security researchers are presenting a man in the middle attack against Extended Validation (EV) protected websites through what they term “SSL Rebinding”.
The basic problem is that modern websites combines information from many sources simultaneously when providing services to users. The problem a browser faces is to decide when it is valid to show the Extended Validation protection level by the “green bar”, or similar UI distinction, when only part of the visible content is provided through an EV certificate protected TLS(SSL) session.
Some sites, such as PayPal provide part of the content through EV protected TLS while other parts are just protected using a Domain Validation (DV) certificate, but web browsers will still regard the whole session as EV protected.
The researchers claim to have found an attack that effectively exploits this and will present their result at the upcoming Black Hat conference.
Read More...
The basic problem is that modern websites combines information from many sources simultaneously when providing services to users. The problem a browser faces is to decide when it is valid to show the Extended Validation protection level by the “green bar”, or similar UI distinction, when only part of the visible content is provided through an EV certificate protected TLS(SSL) session.
Some sites, such as PayPal provide part of the content through EV protected TLS while other parts are just protected using a Domain Validation (DV) certificate, but web browsers will still regard the whole session as EV protected.
The researchers claim to have found an attack that effectively exploits this and will present their result at the upcoming Black Hat conference.
Read More...
Minimum requiriments for electronic signatures in Europe may disqualify perfectly valid signatures
2009-Jul-03 03:08 Filed in:All | Signatures
Various activities in Europe tries, in light of the Services directive, to establish minimum requirements for Advanced Electronic Signatures in Europe.
The background of the electronic signature directive and the electronic signature standards in Europe makes this a hard and potentially dangerous task where we run a risk of disqualifying most signature capable products for no obvious gain.
Read More...
The background of the electronic signature directive and the electronic signature standards in Europe makes this a hard and potentially dangerous task where we run a risk of disqualifying most signature capable products for no obvious gain.
Read More...