 |
|
Press Release |
|
|
VeriSign Offers Recommendations on How to Protect from Man-in-the-Middle Attacks
As New Spin on Man in the Middle Attacks Surface, Leading SSL Vendor
Reaches Out to Educate End Users and Businesses
London – February 25, 2009—In light of a new man-in-the-middle
(MITM) type of attack unveiled this week at Black Hat D.C., VeriSign,
Inc.(NASDAQ: VRSN), the trusted provider of Internet infrastructure
services for the networked world, is providing simple tips end users
and businesses can use to effectively thwart the online threat.
The highlighted attack is the latest twist on the
venerable MITM attack, which relies on a user being fooled into going
to the wrong Web site. Common techniques for fooling visitors include
phishing e-mails, false wireless hotspots, and most recently poisoning
of insecure DNS servers. The scheme uses a fraudulent server to intercept
communications between a user’s browser and a legitimate Web site, and
then acts as a proxy, collecting sensitive information over HTTP (not
HTTPS) between the browser and the fraudulent server.
What makes this attack different than previous MITM
attacks is that the fraudulent site attempts to leverage false visual
cues, namely replacing the fraudulent site’s favicon with a padlock
icon, which has traditionally been recognised as a visual cue to signify
an SSL-protected site. But while this scheme is capable of reproducing
the padlock, it is not capable of recreating the legitimate HTTPS indicator
or the even more noticeable green glow in the address bar of high security
Web browsers, where the site is secured with an Extended Validation
SSL Certificate.
To help protect from a MITM attack, VeriSign offers
the following tips to end users and businesses.
End users:
- Look for the “green
glow”: Man-in-the-middle and phishing attacks in the wild today can
be combated through Extended Validation (EV) SSL Certificates and to
notice when there is an absence of green. EV SSL Certificates definitively
confirm the identity of the organisation that owns the Web site. Online
criminals do not have access to EV SSL Certificates for the sites they're
counterfeiting and therefore cannot spoof the green glow that shows that
an authenticated Web site is secure.
- Download the latest
version of high security Web browsers such as Internet Explorer 7 or
higher, FireFox 3 or higher, Google Chrome, Safari or Opera.
- Take advantage of
authentication credentials such as tokens and other forms of two factor
authentication for sensitive accounts.
- Treat e-mails from
unknown senders with a high degree of skepticism, and don’t click links
to access secure sites (type in the Web address into the browser).
Businesses:
- Adopt EV SSL and
educate customers on what the green or glow means. Put the EV SSL Certificate
on your home page and every other page where a secure transaction takes
place.
- Don’t offer logins
on pages that are not already in an SSL session.
- Offer two factor
authentication to customers as an optional way to add another layer
of security when accessing accounts.
- Don’t include links
in e-mails to customers, and encourage them to download the latest version
of their favourite browsers.
“Though online criminals have been using low-authentication
SSL Certificates in phishing and man-in-the-middle types of attacks
for years, the Black Hat presentation last week is a good reminder for
end users to remain vigilant when transacting online,” said Tim Callan,
vice president of product marketing for VeriSign. “Security threats
come in many forms and staying a step ahead requires education on the
end-user side and a comprehensive, layered security approach from Web
sites to help ensure that users have a secure experience.”
About VeriSign
VeriSign, Inc. (NASDAQ: VRSN) is the trusted provider of Internet
infrastructure services for the networked world. Billions of times each
day, VeriSign helps companies and consumers all over the world engage in
communications and commerce with confidence. Additional news and information
about the company is available at www.verisign.com
Contacts
Media Relations: Victoria Henry, vhenry@verisign.com,+
44 (0) 7920 598 016
Weber Shandwick for VeriSign: Lydia Curtis, Lcurtis@webershandwick.com,
+44 (0)207 067 0513
Investor Relations: Nancy Fazioli, nfazioli@verisign.com,
+1 650-426-5146
Statements in this announcement other than historical
data and information constitute forward-looking statements within the
meaning of Section 27A of the Securities Act of 1933 and Section 21E
of the Securities Exchange Act of 1934. These statements involve risks
and uncertainties that could cause VeriSign's actual results to differ
materially from those stated or implied by such forward-looking statements.
The potential risks and uncertainties include, among others, the uncertainty
of future revenue and profitability and potential fluctuations in quarterly
operating results due to such factors as the inability of VeriSign to
successfully develop and market new products and services and customer
acceptance of any new products or services, including VeriSign EV SSL
solutions; the possibility that VeriSign’s announced new services may
not result in additional customers, profits or revenues; and increased
competition and pricing pressures. More information about potential
factors that could affect the company's business and financial results
is included in VeriSign's filings with the Securities and Exchange Commission,
including in the company's Annual Report on Form 10-K for the year ended
December 31, 2007 and quarterly reports on Form 10-Q. VeriSign undertakes
no obligation to update any of the forward-looking statements after
the date of this press release.
©2009 VeriSign, Inc.
All rights reserved. VeriSign, the VeriSign logo, the Checkmark Circle
logo, and other trademarks, service marks, and designs are registered
or unregistered trademarks of VeriSign, Inc., and its subsidiaries in
the United States and in foreign countries. All other trademarks are
property of their respective owners.
|
|
|
Feedback
