|
|
Opera SSL Security Feature Design Error Vulnerability
Opera is prone to a design error that can result in a false sense of security. The issue resides in a security feature that is available in Opera version 8 Beta 3. The new security feature displays the Organization Name derived from an SSL certificate in the address bar field for an SSL-secured site. The Organization info is based on the legal name under which an organization is registered. Any company may apply for and obtain an SSL certificate that contains Organization info that matches or is similar to other target company names. The problem arises because the Organization Name of an SSL certificate is not intended to be unique. Since this field is not unique, it can't serve as the sole means for the user to trust the authenticity of a site. Therefore, this security feature may be abused and may yield a false sense of security for users because they may fail to manually inspect certificate properties. In situations where an attacker has successfully obtained a certificate from a Certificate Authority (CA) that has a misleading or spoofed Organization Name, this may lend authenticity to a malicious site maintained by the attacker. |
|
Privacy Statement |