VeriSign Offers Recommendations For Protection Against MITM Attacks
The scheme uses a fraudulent server to intercept communications between a user's browser and a legitimate website, and then acts as a proxy, collecting sensitive information over HTTP.
In light of a new man-in-the-middle (MITM) type of attack unveiled this week at Black Hat DC, VeriSign is providing simple tips end users and businesses can use to effectively thwart the online threat.
The highlighted attack is the latest twist on the venerable MITM attack, which relies on a user being fooled into going to the wrong website. Common techniques for fooling visitors include phishing e-mails, false wireless hotspots, and most recently poisoning of insecure DNS servers. The scheme uses a fraudulent server to intercept communications between a user’s browser and a legitimate website, and then acts as a proxy, collecting sensitive information over HTTP (not HTTPS) between the browser and the fraudulent server.
What makes this attack different from previous MITM attacks is that the fraudulent site attempts to leverage false visual cues, namely replacing the fraudulent site’s favicon with a padlock icon, which has traditionally been recognised as a visual cue to signify an SSL-protected site. But while this scheme is capable of reproducing the padlock, it is not capable of recreating the legitimate HTTPS indicator or the even more noticeable green glow in the address bar of high security Web browsers, where the site is secured with an Extended Validation SSL Certificate.
To help protect from a MITM attack, VeriSign offers the following tips to businesses:
- Adopt EV SSL and educate customers on what the green or glow means. Put the EV SSL Certificate on your home page and every other page where a secure transaction takes place.
- Don’t offer logins on pages that are not already in an SSL session.
- Offer two-factor authentication to customers as an optional way to add another layer of security when accessing accounts.
- Don’t include links in e-mails to customers, and encourage them to download the latest version of their favourite browsers.
"Though online criminals have been using low-authentication SSL Certificates in phishing and man-in-the-middle types of attacks for years, the Black Hat presentation last week is a good reminder for end users to remain vigilant when transacting online," said Tim Callan, vice president of product marketing for VeriSign. "Security threats come in many forms and staying a step ahead requires education on the end-user side and a comprehensive, layered security approach from websites to help ensure that users have a secure experience."
Find latest and upcoming tech gadgets online on Tech2 Gadgets. Get technology news, gadgets reviews & ratings. Popular gadgets including laptop, tablet and mobile specifications, features, prices, comparison.
Mazagon Dock Shipbuilders to launch IPO on 29 Sept, say reports; govt likely to dilute stake in company
The Mazagon Dock IPO was supposed to be launched last September, but was shelved due to low demand
Candidates who have appeared for the AP EAMCET 2020 need to download the declaration form, take a print out, fill it properly and send it to the authorities within the due date
Candidates will be called in for counselling and given seats in engineering colleges across Telangana on the basis of the TS ECET 2020 rank secured by them