Print 17 comment(s) - last by .. on Mar 6 at 8:56 AM

New tool silently undoes SSL behind users' backs

Secure Socket Layer and HTTPS, the bread and butter of internet website security, certainly seem to be getting a bad rap lately – and now they’re about to receive yet another blow: SSLStrip, a man-in-the-middle attack tool for spying on and screwing with SSL web sessions, was released Tuesday – and prematurely to boot.

Despite the fact that SSLStrip’s webpage was unfinished, an unknown hacker managed to guess the tool’s download URL and in turn had it broadcasted on Slashdot for all to see. SSLStrip’s author, Moxie Marlinspike, then quickly cleaned up the webpage and gave it a full release.

SSLStrip was originally unveiled during the recently-concluded Black Hat DC computer security conference, in a presentation titled, “New Tricks for Defeating SSL in Practice.”

So how exactly does it work? SSLStrip uses a well-known technique called “ARP Poison Routing” to fool a computer on a network into routing all its traffic through the hacker's machine, after which the user is presented with an environment that he or she may think is an HTTPS browser session – but actually isn’t. This is reinforced by what Marlinspike calls a switch from “positive” to “negative” feedback: whereas once upon a time web browsers informed users of a successful SSL session through a prevalence of little lock icons and colored URL bars (a.k.a. “positive reinforcement”), they now choose to present users with error messages when something is wrong (“negative reinforcement”).

Complicating this is the fact that most sites use a button on login forms, so users can’t hover their cursor over a link to figure out where it goes. And since “nobody types https://,” the only way that most people experience SSL is through either clicking on links or following webpage redirects.

That’s exactly where SSLStrip fits in: since more often than not the website itself is what users look at to determine if something is “secure”, why not just silently strip out all that pesky HTTPS stuff and feed the user HTTP instead? It avoids the “negative feedback of death”, and most users are none the wiser – and it will even change the site’s favicon to a picture of a lock, just in case.

While the actual attack isn’t that simple, of course, it is pretty close. There are a few additional things – such as handling compression and manipulating users’ cookies – that SSLStrip also performs to make sure the attack works; in his own testing Marlinspike says he grabbed 117 e-mail accounts, 16 credit card numbers, and 7 PayPal logins – all with having absolutely no user response.

So let this be a warning: the only way you know if your session on a website is secure is by looking specifically for the https:// prefix. Be careful when you log in to a site from a public network, because unless you go mucking through a page’s source code, you can never really be sure if the login process is secure or not.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

By HaZaRd2K6 on 2/25/2009 9:28:37 PM , Rating: 3
Like the article, Tom. It was great up until the last sentence when it appears your grammar skills decided they wanted to go for a walk :P

RE: Nice.
By OblivionMage on 2/26/2009 12:05:46 AM , Rating: 2
This is unrelated (to some extent), but does Tom Corelis = TomZ?

RE: Nice.
By TomCorelis on 2/26/2009 1:56:42 PM , Rating: 2

RE: Nice.
By yacoub on 2/27/2009 9:08:57 AM , Rating: 5
only in a world where Corelis=Z

RE: Nice.
By Whaaambulance on 2/27/2009 7:12:09 PM , Rating: 2
I just LOL'd IRL.

RE: Nice.
By amanojaku on 2/28/2009 10:29:09 PM , Rating: 3
I'll bet Don LaFontaine recorded that.

By bankerdude on 2/26/2009 8:36:36 AM , Rating: 2
I never really paid attention to it before, but my bank's online website automatically switches me over from http to https when I click the login button. So I suppose in that situation if I weren't specifically looking for the https to appear in the title bar after clicking login and someone had already attacked the site, I could end up entering my username and password on an unsecure site. Nice.

whereas once upon a time web browsers informed users of a successful SSL session through a prevalence of little lock icons and colored URL bars (a.k.a. “positive reinforcement”), they now choose to present users with error messages when something is wrong (“negative reinforcement”).

When did that happen? I still see my url bar change colors on IE7 when I'm on a secured site. Plus a lock icon appears in the title as well. Not sure I'm following that one.

RE: Interesting
By Digimonkey on 2/26/2009 8:39:54 AM , Rating: 2
Same with Firefox. There is still a lock icon and the font of the URL changes color when going to a secured site.

RE: Interesting
By Master Kenobi on 2/27/2009 7:54:28 AM , Rating: 2
Indeed, modern browsers change the URL box another color when a real SSL session is established. This would work great for Firefox 1.0-2.0 users, and IE6 or earlier. Could potentially work for anyone still running the old Mozilla browser too from back in the day.

Realistically though its not very "invisible" on the modern browsers.

RE: Interesting
By Murst on 2/27/2009 11:23:29 AM , Rating: 1
Indeed, modern browsers change the URL box another color when a real SSL session is established

This is not very accurate. There are different types of SSL certificates. For example, you can compare different SSL certificates available via Verisign here: . The fourth row from the top is the "Green Address Bar", and as you can see on that page, only 2 out of 4 certificates have this option ( basically, the most expensive ones ).

So, you have to "upgrade" to a SSL certificate with the green address bar. It is completely valid to have a SSL certificate without the color change, b/c it is not the browser that changes the address bar, but the certificate type. It does not matter how modern the browser is.

RE: Interesting
By Master Kenobi on 3/2/2009 6:56:24 AM , Rating: 2
I would argue then that if they don't care enough to make my URL field turn green, then I don't care enough to purchase their product.

RE: Interesting
By JediJeb on 3/4/2009 2:06:31 PM , Rating: 2
The only indicator of https I get is the https and the lock icon in the lower right of my browser. I just tried it at both Chase and Citibank credit card sites and my bank and no change in the color of the URL Field at all. Do these companies not use SSL or is my browser not set up right. At home I believe the same thing happens and I am using the newest Firefox browser. Honestly I don't ever remember a change in the color of the URL Field. Or is this something that only works if using Vista, since I don't have that yet?

RE: Interesting
By xeroshadow on 3/6/2009 4:28:23 AM , Rating: 2
Either way, I will be paying closer attention to the URL. I have noticed one of my credit card companies uses a lock symbol but the page is only http://

RE: Interesting
By on 3/6/2009 8:56:47 AM , Rating: 2
How can it be locked but only http not https? Something not adding up there.

Verify the SSL sites
By Screwballl on 2/26/2009 10:02:15 AM , Rating: 3
Time for the browser programmers to release a verification engine to warn the user if the site being visited is not a proper and verified secure site connection.

For now, there is the Comodo program that can do that for you:

RE: Verify the SSL sites
By GaryJohnson on 2/27/2009 12:55:49 AM , Rating: 2
All the major browsers have a phishing filter. What purpose does vengine serve exactly?

RE: Verify the SSL sites
By MrPoletski on 3/4/2009 1:14:22 PM , Rating: 1
What purpose does vengine serve exactly?

keeps ya nob warm at night.

"Folks that want porn can buy an Android phone." -- Steve Jobs
Related Articles

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki