On-Line Transactions: Good. On-Line Insecure Transactions: Bad

ThiefIt is always nice when the hackers warn you that they are going to strike: next week, security researchers are planning on hacking into your “secure” transactions by intercepting data during an on-line transaction on a site allegedly protected by an SSL certificate.

The dirty deed will be taking place at the Black Hat Security conference in Los Vegas, reports Thomas Claburn at InformationWeek. According to the article, experts Mike Zusman, principal consultant at Intrepidus Group, and Alex Sotirov, an independent security researcher, have found and can exploit a weakness in the browser to conduct what is known as a “man in the middle” attack on sites protected by Extended Validation (EV) Secure Sockets Layer (SSL) certificates. This type of attack entails “sniffing” out the desired data as the data leaves the user’s browser or via what is called a “browser cache poisoning attack on EV SSL websites.

The browsers supporting EV SSL? Well, they include the most recent versions of Apple Safari, Google Chrome, Microsoft Internet Explorer, Mozilla Firefox, and Opera. I guess that means pretty much all of them.

What does it all mean? It means that while the Advocate advocates adopting the “free”-ly on-line model and the wonders that all of this great technology and access offers, we all, attorneys in particular, need to be mindful of the hazard these security breaches pose. Carefully consider the risks of sharing or storing sensitive data on-line at all times – you never know where the thieves are hiding, even Las Vegas!


2 comments on “On-Line Transactions: Good. On-Line Insecure Transactions: Bad

  1. Ha! Don’t believe the hype. The prob with SSL Certs falls on the shoulders of the browser developers. EV SSL certificates guarantee that the user has entered a secure site, YES. But the website owner “is responsible” for the elements on the site.

  2. Sounds like the EV SSL people and the browser developers need to get on the same page. Is it your experience / opinion that there is not enough cross-talk between these groups? If that is the case, it seems this is a serious enough issue to warrant some conferencing on the best solution.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s