A new attack is threatening to increase the potential for attackers to compromise enterprise servers and the critical data on them. Solutions are available, and they will require action by company officers .
“SSLStrip” and related attacks1 were among the highlights of the July 2009 Black Hat show in Las Vegas. Researcher Moxie Marlinspike3 combined a number of separate problems, not all related to SSL, to create a convincing scenario in which users attempting to work with secure web sites were instead sent to malicious fake sites. One of the core problems described by Marlinspike is the ability to embed null characters in the common name field of a certificate, designating a domain name. This can be used to trick software, web browsers.SSLStrip attack could be used against server-server communications with the potential for mass-compromise of confidential data.
This spoofing problem is solved by correct use of Extended Validation (EV) SSL certificates for authentication. Moving certificate-based enterprise authentication to EV SSL would therefore protect an organization against this form of attack.
