Friday, March 27, 2009

SSL vs EVSSL - What's new inside or just a cryptography myth?

Till the date many online websites (commercial or non-commercial) worked under normal SSL (secure socket layer) certificates. However, as a part of placing secure transactions over the internet these certificates play an important role to any organization's creditibility. Sniffing and decoding against SSL based traffic has got enough disputes that the online merchant services like 'VeriSign' started putting efforts to find stable solution for data encryption and the reliability for highest level of identity and fraud protection from an SSL Certificates. Prior SSL-encryption mechanism worked with RC2,RC4 or IDEA encryption with key sizes ranging from 40 to 128 bits. Is that hard to decrypt? Absolutely not (but also depends on the encryption type).

The main purpose behind introducing the Extended Validation SSL Certificates was to give a new level of trust to the web visitors by providing some sort of proof at user end. Applying EVSSL, give advantage for user to verify the website's identity as the browser address bar will turn green by confirming the site identity and verified it with Certification Authority (CA). On the other side, CA not only validates domain registry but it also checks operational, legal and the company/website's physical existence. As the recent growth of Fast Flux network attack proved that SSL encryption and its validation is crackable which pose a serious loss in faith and confidence for end-users.

According to Anti-Phishing Working Group (APWG), 90% of phishing attacks carried out in December 2006 were perpetrated against financial services companies. The esitmated loss reported was USD$1-billion per year. Handling EVSSL based transactions ensure better protection. The organization deploying EVSSL certificates have to find their suitable CA from CA/Browser Forum ( According to Tec Ed report (2007) in which various responses were gathered to show the usage and attitudes toward e-commerce and EVSSL, the results were outstanding. Overall, EVSSL is the best way to ensure that phishers do not wreck a merchant's reputation, and that an end user/consumer doesn't get their sensitive data stolen from them. VeriSign has recently highlighted the views on the best practices of EVSSL just after last month's MiTM attack simulation at BlackHat D.C. The attack was just a twist of existing MiTM attack which fools the users to visit false website. What makes it different from previous MITM attack is the way fraudlent site attempts to leverage falst visual appearance. It simply replaces the site's favicon with the padlock. Although, the method is capable of reproducing the padlock but unable to create a legitimate HTTPS indicator or even the green address bar. Thus, that is where EVSSL got success.