The confidence on the safety of more expensive and advanced digital authentication for online transactions may be misplaced. Two researchers show how these certificates are still vulnerable to low-level spoofing attacks that are used against cheaper security certificates.

These certificates, known as EV SSL or extended validation secure sockets layer certificates, were widely thought to immune to middle-in-the-man (MITM) attacks – such as when hackers waiting in an unsecured spot in a network or Wi-Fi hotspot intercepts data between a user and a site being currently accessed. When ordinary SSL certificates were shown to be vulnerable to these kinds of attacks, issuers of EV SSL claimed that their more expensive offering were immune to MITM attacks.

However, researchers Mike Zusman and Alexander Sotirov have proven this assumption of immunity false by demonstrating how MITM attacks may be done against EV SSL-issuing services. Due to loopholes present in the security design of many browsers, it has been shown that performing an MITM attack is possible and still cause the browser to display an indication that EV SSL protection is still uncompromised. Though an MITM attack on an EV SSL protected service still requires acquiring a spoofed SSL certificate, obtaining one is not such a difficult task. The researchers have shown the possibility of obtaining an SSL certificate for Mozilla.com without restrictions. It was also shown that it was possible to obtain a certificate from Microsoft’s login.live.com.

With the compromised SSL certificate, the hacker can use it to inject malicious JavaScript while the victim accesses the legitimate EV-protected page. Since many browsers cannot distinguish between an EV SSL certificate and a spoofed one, many continue displaying the default green bar that certifies EV SSL protection.

With the malicious script injected, the victim is at the mercy of the hacker. The hacker can modify the site, intercept the data being transmitted between the site and the user, and even intercept the user’s keystrokes.

However, Sotirov does not believe that EV SSLs are completely useless, as this still provides a layer of user verification and requires additional applicant identity vetting- an improvement over previous SSL certificates.