SSLstrip: Padlocks and https:// Can Be Forged

Submitted by Vu M. Nguyen on Fri, 02/20/2009 - 15:20

Published in

Security

"The attack is more than theoretical. Marlinspike tested the software on a public server he hosted for users of the Tor anonymous browsing network; he was, by his own account, able to grab passwords to 117 e-mail accounts, 16 credit cards numbers, seven Paypal logins and about 300 other logins to supposedly secure sites ranging from Gmail to Ticketmaster to Facebook."
Source: Andy Greenberg, Forbes

Security researcher Moxie Marlinspike presented "SSLstrip" at Black Hat DC 2009. SSLstrip allows attackers to perform man-in-the-middle attacks that can be carried out from WiFI networks, local area networks with a single internet access point, and onion routing networks like Tor. SSLstrip includes a proxy mode, where connections between the user and SSLstrip are displayed as being secure with a bogus padlock.

Websites that use SSL encryption would have to "encrypt everything" according to Marlinspike -- to protect against this man-in-the-middle attack. Most websites will be reluctant to do such a thing, as encrypting all content over SSL requires more powerful hardware.

I'd have to say SSLstrip will be downright scary in the hands of the wrong people. Most of today's badware is geared towards financial theft, and SSLstrip will be an effective weapon.

Categories

Syndicate

SSLstrip: Padlocks and https:// Can Be Forged