VeriSign Offers Recommendations on How to Protect From Man-in-the-Middle Attacks

March 1, 2009 by  

Webmaster NewsMOUNTAIN VIEW, CA – In light of a new man-in-the-middle (MITM) type of attack unveiled this week at Black Hat D.C., VeriSign, Inc. (NASDAQ: VRSN), the trusted provider of Internet infrastructure services for the networked world, is providing simple tips end users and businesses can use to effectively thwart the online threat.

The highlighted attack is the latest twist on the venerable MITM attack, which relies on a user being fooled into going to the wrong Web site. Common techniques for fooling visitors include phishing e-mails, false wireless hotspots, and most recently poisoning of insecure DNS servers. The scheme uses a fraudulent server to intercept communications between a user’s browser and a legitimate Web site, and then acts as a proxy, collecting sensitive information over HTTP (not HTTPS) between the browser and the fraudulent server.

What makes this attack different than previous MITM attacks is that the fraudulent site attempts to leverage false visual cues, namely replacing the fraudulent site’s favicon with a padlock icon, which has traditionally been recognized as a visual cue to signify an SSL-protected site. But while this scheme is capable of reproducing the padlock, it is not capable of recreating the legitimate HTTPS indicator or the even more noticeable green glow in the address bar of high security Web browsers, where the site is secured with an Extended Validation SSL Certificate.

To help protect from a MITM attack, VeriSign offers the following tips to end users and businesses.

End users:
— Look for the “green glow” in the address bar: Man-in-the-middle and
phishing attacks in the wild today can be combated through Extended
Validation (EV) SSL Certificates and to notice when there is an absence of
green. EV SSL Certificates definitively confirm the identity of the
organization that owns the Web site. Online criminals do not have access to
EV SSL Certificates for the sites they’re counterfeiting and
therefore cannot spoof the green glow that shows that an authenticated
Web site is secure.

— Download the latest version of high security Web browsers such as
Internet Explorer 7 or higher, FireFox 3 or higher, Google Chrome, Safari
or Opera.

— Take advantage of authentication credentials such as tokens and other
forms of two factor authentication for sensitive accounts.

— Treat e-mails from unknown senders with a high degree of skepticism,
and don’t click links to access secure sites (type in the Web address into
the browser).

– Adopt EV SSL and educate customers on what the green glow in the
address bar means. Put the EV SSL Certificate on your home page and every
other page where a secure transaction takes place.

— Don’t offer logins on pages that are not already in an SSL session.

— Offer two factor authentication to customers as an optional way to add
another layer of security when accessing accounts.

— Deploy risk-based authentication solutions in the back end to detect
anomalies within customer accounts.

— Don’t include links in e-mails to customers, and encourage them to
download the latest version of their favorite browsers.

“Though online criminals have been using low-authentication SSL Certificates in phishing and man-in-the-middle types of attacks for years, the Black Hat presentation last week is a good reminder for end users to remain vigilant when transacting online,” said Tim Callan, vice president of product marketing for VeriSign. “Security threats come in many forms and staying a step ahead requires education on the end-user side and a comprehensive, layered security approach from Web sites to help ensure that users have a secure experience.”

About VeriSign
VeriSign, Inc. (NASDAQ: VRSN) is the trusted provider of Internet infrastructure services for the networked world. Billions of times each day, VeriSign helps companies and consumers all over the world engage in communications and commerce with confidence. Additional news and information about the company is available at

Want to receive alerts when your website is down? Sign-up for free website monitoring at

Be Sociable, Share!


Comments are closed.