Extended Validation certificates and XSS considered harmful

A cross-site scripting vulnerability on the popular SourceForge.net website shows how Extended Validation SSL certificates could be exploited by fraudsters. Piggybacking on the anticipated extra trust instilled by the presence of an EV SSL certificate, arbitrary content could be injected onto the secure page at SourceForge to create a very convincing phishing attack. The green address bar displayed by the web browser would assure users that they are looking at a website that can be trusted, even though the page they are looking at may contain scripts or HTML created by a remote attacker.

ie7-resized.png
The vulnerable page at SourceForge, showing the green address bar and injected JavaScript being executed

Extended Validation SSL certificates were originally created as a direct response to the rise in internet fraud, with additional verification processes reducing the likelihood of erroneously issuing a certificate to an unauthorised party. Modern web browsers treat EV SSL certificates differently to ordinary SSL certificates, typically turning the address bar green to show that a site can be trusted. Once users are conditioned into thinking that green means good, this could prove harmful when an EV SSL site contains a cross-site scripting vulnerability.

The number of EV SSL certificates in use worldwide is still relatively small and has only recently risen above 4,000. SourceForge is a large open source software development website, with a high ranking amongst users of the Netcraft Toolbar, and uses a VeriSign Class 3 Extended Validation SSL certificate for its main secure site at https://sourceforge.net.

firefox-small.png
Nightly builds of Firefox also display the green address bar element

Both Internet Explorer 7 and recent nightly builds of the Mozilla Firefox web browser display a green address bar when accessing the vulnerable page at SourceForge, even when it is used to inject content that may have been created by a fraudster. Netcraft has informed SourceForge about this issue, although the xssed.com mirror, where this vulnerability was first discovered, suggests that it has remained unfixed since last year.

This discovery (believed to be the first documented case of XSS on an EV SSL website) highlights the need to remain wary of web application security, even when delivered with the most secure and trusted option of Extended Validation SSL certificates.

Netcraft offers extensive web application penetration and security testing services to identify vulnerabilities such as cross-site scripting.

Extended Validation SSL Certificates now 1 Year Old

Extended Validation SSL certificates are now a year old, with the total number of EV SSL sites now above 4,000 representing 0.5% of the valid third party certificates that the Netcraft SSL Survey finds on the Internet. Absolute growth of EV SSL certificates has remained largely constant for several months, and the total is dwarfed by the 809,000 sites that use traditional SSL certificates.

ev-ssl-growth.png

A year ago, Netcraft’s SSL Survey found a total of 81 sites using EV SSL certificates, five of which have since reverted to conventional SSL certificates. Interestingly, three of these sites belong to certificate authorities. VeriSign no longer uses EV SSL certificates for either admin-manager.verisign.com or onsite.verisign.com, while Entrust no longer uses an EV SSL certificate for www.entrust.com, although this site redirects users to secure.entrust.com, which does use EV SSL. The two other sites to have stopped using extended validation are www.dunbarvalutrak.com, a system for tracking valuables and cash in transit, and www.senderra.com, a service mark of Avelo Mortgage, L.L.C.

The number of desktops which recognise EV SSL certificates is set to increase this month. On February 12th, Microsoft released the Windows Internet Explorer 7 Installation and Availability update to Windows Server Update Services. After this date, customers who have configured WSUS to auto-approve Update Rollup packages will have all instances of Internet Explorer 6 upgraded to version 7. Microsoft Knowledge Base article 946202 describes how administrators may deploy Internet Explorer 7 using WSUS, or to postpone the update.

root-update.png

For users of Windows Vista, Internet Explorer 7 turns the address bar green when a user visits a site which offers a valid EV SSL certificate, helping to boost consumer confidence in such sites and reduce fraud. By default, Windows XP users will not see the green address bar unless they install an optional Root Certificates Update, which will enable the use of EV SSL certificates.

firefox-ev-paypal.png

In addition to the Internet Explorer 7 push, nightly builds of the Firefox web browser now also support EV SSL certificates, using the VeriSign EV root for testing purposes. Other EV SSL certificates are currently treated as conventional SSL certificates, although when Firefox 3 is ready to be released to the public, it is expected to have full support for all EV SSL certificates.

Further trends and observations are made in Netcraft’s monthly SSL Survey.

Swishmail is the Most Reliable Hosting Company in January 2008

Ranking by Failed Requests and Connection time,
January 1st - 31st 2008

performance_january2008.png

Swishmail is the most reliable hosting company site for January 2008, closely followed by Seeweb, New York Internet, WebFusion and 3FN.

2008 looks promising for Swishmail, with its second consecutive appearance in first place. Swishmail's US-hosted website is powered by FreeBSD, Apache and PHP and they offer a variety of professional and enterprise web hosting plans. Their core service, however, is in business mail hosting, offering businesses a quick and reliable secure electronic mail system that filters out viruses.

Five of January’s top ten hosting company sites run Linux on their main sites, while four, including Swishmail, run FreeBSD. The only Windows-based site within the top ten this month is Go Daddy’s, which runs Windows Server 2003.

Continue reading

February 2008 Web Server Survey

Growth is up again this month, with the February 2008 survey receiving responses from 158,209,426 sites. This is an increase of 2.6 million sites, compared with last month's unusually low growth of only 354 thousand.

Apache continues to climb back, now reaching nearly 51% of the market share, while both Microsoft and Google fall slightly in share.

Some strong growth is seen amongst the smaller web servers. LiteSpeed grows by a further 10% this month, now approaching half a million sites with a total of 476 thousand hostnames. The LiteSpeed web server is interchangeable with Apache and is used by the WordPress blogging system. LiteSpeed was the fastest and most robust server that WordPress had tested, according to its founding developer, Matthew Mullenweg.

Unusually, America Online's open source AOLserver sees tremendous growth, jumping from 35 thousand to 105 thousand sites in just one month. AOLserver is a multithreaded, Tcl-enabled web server which can be used for large scale, dynamic web sites, but has not seen the release of a new version since 2006. The majority of the new sites served by AOLserver are hosted in Poland.

Total Sites Across All Domains August 1995 - February 2008

Total Sites Across All Domains, August 1995 - February 2008

Graph of market share for top servers across all domains, August 1995 - February 2008

Top Developers
DeveloperJanuary 2008PercentFebruary 2008PercentChange
Apache78,735,58150.61%80,580,18350.93%0.33
Microsoft55,709,92635.81%56,265,52735.56%-0.24
Google8,290,4715.33%8,169,9305.16%-0.16
lighttpd1,536,9810.99%1,565,5360.99%0.00
Sun557,6730.36%547,5100.35%-0.01

Continue reading

Fraudster using phone numbers to receive authentication details

The Bank of Lancaster County is currently being targeted by a phishing attack that does away with the traditional web-based phishing forms. Instead, victims are asked to phone a toll free number to reactivate their card.

The scam is initiated by sending out phishing emails purporting that the victim's VISA card has been deactivated, stating that it may have been used in illegal activities. Rather than clicking on a hyperlink and visiting a website to resolve the problem, this phishing scam asks its victims to call a phone number based in Erie, Pennsylvania. To add credibility to the attack, the email claims that the phone number is toll free, but it is in fact not.

bankoflancaster.png

Stealing credentials via phone remains a relatively rare phishing technique. For scalability, attacks like these are usually carried out by sending emails rather than initiating phone calls, and request that the recipient calls a phone number which purportedly belongs to the bank.

Ironically, phone phishing could prove more effective due to the methods some banks use to combat fraud. Some make automated phone calls to cardholders in the event of suspicious transactions, with the cardholder being prompted to respond by entering personal details before confirming a transaction. In practice, the cardholder has no way of ascertaining that the phone call is really coming from their bank, and expecting the cardholder to trust the automated caller is effectively grooming the bank's customers into falling for phone based phishing attacks.

The Bank of Lancaster County has published an alert advising customers about fraudulent emails that contain phone numbers, which when called, ask for personal information including account passwords and credit card numbers.

January 2008 Web Server Survey

In the January 2008 survey we received responses from 155,583,825 sites, reflecting a much slower growth of only 354 thousand sites, compared with last month, where the increase was 5.4 million.

Apache continues its recovery after steep falls in share over the last eighteen months and is back over 50%. Its share had been negatively affected over that period by the increasing number of blog sites in the survey on large providers like Microsoft and Google, using their own server software. But it is also benefiting from growth at other blog providers like multiply.

There has been significant growth in recent months for some newer entrants to the survey. While lighttpd's share, particularly of active sites, has stagnated, there has been good growth for nginx (an open-source web server developed in Russia), which passes 0.5% of the web server market this month. There is also good growth for LiteSpeed, a commercial web server designed as a high-performance drop-in replacement for Apache, which passes 400,000 hostnames this month (partly due to its use by blogging provider WordPress.com.

Total Sites Across All Domains August 1995 - January 2008

Total Sites Across All Domains, August 1995 - January 2008

Graph of market share for top servers across all domains, August 1995 - January 2008

Top Developers
DeveloperDecember 2007PercentJanuary 2008PercentChange
Apache76,945,64049.57%78,735,58150.61%1.04
Microsoft55,509,22335.76%55,709,92635.81%0.05
Google8,558,2565.51%8,290,4715.33%-0.18
lighttpd1,521,2500.98%1,536,9810.99%0.01
Sun588,9970.38%557,6730.36%-0.02

Continue reading