Secure Socket Layer and HTTPS, the bread and butter of internet website security, certainly seem to be getting a bad rap lately – and now they’re about to receive yet another blow: SSLStrip, a man-in-the-middle attack tool for spying on and screwing with SSL web sessions, was released Tuesday – and prematurely to boot.
Despite the fact that SSLStrip’s webpage was unfinished, an unknown hacker managed to guess the tool’s download URL and in turn had it broadcasted on Slashdot for all to see. SSLStrip’s author, Moxie Marlinspike, then quickly cleaned up the webpage and gave it a full release.
SSLStrip was originally unveiled during the recently-concluded Black Hat DC computer security conference, in a presentation titled, “New Tricks for Defeating SSL in Practice.”
So how exactly does it work? SSLStrip uses a well-known technique called “ARP Poison Routing” to fool a computer on a network into routing all its traffic through the hacker's machine, after which the user is presented with an environment that he or she may think is an HTTPS browser session – but actually isn’t. This is reinforced by what Marlinspike calls a switch from “positive” to “negative” feedback: whereas once upon a time web browsers informed users of a successful SSL session through a prevalence of little lock icons and colored URL bars (a.k.a. “positive reinforcement”), they now choose to present users with error messages when something is wrong (“negative reinforcement”).
Complicating this is the fact that most sites use a button on login forms, so users can’t hover their cursor over a link to figure out where it goes. And since “nobody types https://,” the only way that most people experience SSL is through either clicking on links or following webpage redirects.
That’s exactly where SSLStrip fits in: since more often than not the website itself is what users look at to determine if something is “secure”, why not just silently strip out all that pesky HTTPS stuff and feed the user HTTP instead? It avoids the “negative feedback of death”, and most users are none the wiser – and it will even change the site’s favicon to a picture of a lock, just in case.
While the actual attack isn’t that simple, of course, it is pretty close. There are a few additional things – such as handling compression and manipulating users’ cookies – that SSLStrip also performs to make sure the attack works; in his own testing Marlinspike says he grabbed 117 e-mail accounts, 16 credit card numbers, and 7 PayPal logins – all with having absolutely no user response.
So let this be a warning: the only way you know if your session on a website is secure is by looking specifically for the https:// prefix. Be careful when you log in to a site from a public network, because unless you go mucking through a page’s source code, you can never really be sure if the login process is secure or not.