SSL Critical Security Weakness Revealed

It is not new to the experts, but SSL (Secure Socket Layer) is not as secure as it is supposed to be.

The SSL security protocol is receiving a critical security update. This update does not concern the SSL encryption itself, but the authentication of the websites initiating the SSL connection.

To establish a SSL connection, a website must possess a certificate. However a method to obtain these certificates, domain validation, is easily hackable. A hacker can upload a website that looks like a legitimate website, and be identified by the browser of the user with his valid certificate. It is the basic approach of most of the phishing attacks.

To combat these attacks, a new generation of certificates has been setup. These EV (Extended Validation) certificates are delivered after a stronger due diligence of the entity having the website and cannot be obtained by a hacker, supposedly.

Anyway, even the usage of EV certificates is not a perfect solution. It is possible when you connect on an open WiFi spot to take control of the DNS (Domain Name System) of the access point and redirect the traffic to a fake website once the authentication is performed on the legitimate website. In this case the browser does not see the trick, neither does the user.

Feel free to leave your comments and feedback.