When a small padlock appears in the corner of your Web browser"s
address bar or the entire bar turns green, it seems like a powerful
signal you"re safe to proceed.
But experts say the SSL certificates those green lights signify — digital stamps of approval that Web sites
buy to prove they"re running a legitimate business and can send and
receive encrypted data safely — don"t provide the safety they seem to.
"They instill some sense of security, but that could be a dangerously false sense of security," said Paul Mutton, aresearcher with UK-based security firm Netcraft Ltd.
Attacks are
still possible because having an SSL certificate only indicates that a
third party has verified the identity of the site"s owner and set up an
encrypted line of communication with the site.
The site itself
could still be riddled with security holes for hackers to exploit. And
the certificate could simply be bogus: Criminals have been forging them
to get the padlock icon and dress up fraudulent sites.
In
response, companies that sell the certificates began offering an
enhanced version about a year ago, for which about 5,000 site owners
worldwide have undergone an extra level of scrutiny that includes
face-to-face visits.
But even those sites may contain malicious
code. Researchers from Netcraft said last week they discovered
vulnerabilities in four sites boasting Extended Validation SSL
certificates.
Criminals could exploit the flaws to create
programs to steal passwords and credit card numbers, for example. Data
stolen by those malicious programs is siphoned off outside the
encryption SSL provides, and thus is totally visible to hackers,
Netcraft"s Mutton said.
Security experts said Netcraft"s report
highlights the continued need for up-to-date antivirus protection and
for users to be cautious about where they enter sensitive data.
|
