New tool silently undoes SSL behind users' backs

Secure Socket Layer and HTTPS, the bread and butter of internet website security, certainly seem to be getting a bad rap lately – and now they’re about to receive yet another blow: SSLStrip, a man-in-the-middle attack tool for spying on and screwing with SSL web sessions, was released Tuesday – and prematurely to boot.

Despite the fact that SSLStrip’s webpage was unfinished, an unknown hacker managed to guess the tool’s download URL and in turn had it broadcasted on Slashdot for all to see. SSLStrip’s author, Moxie Marlinspike, then quickly cleaned up the webpage and gave it a full release.

SSLStrip was originally unveiled during the recently-concluded Black Hat DC computer security conference, in a presentation titled, “New Tricks for Defeating SSL in Practice.”

So how exactly does it work? SSLStrip uses a well-known technique called “ARP Poison Routing” to fool a computer on a network into routing all its traffic through the hacker's machine, after which the user is presented with an environment that he or she may think is an HTTPS browser session – but actually isn’t. This is reinforced by what Marlinspike calls a switch from “positive” to “negative” feedback: whereas once upon a time web browsers informed users of a successful SSL session through a prevalence of little lock icons and colored URL bars (a.k.a. “positive reinforcement”), they now choose to present users with error messages when something is wrong (“negative reinforcement”).

Complicating this is the fact that most sites use a button on login forms, so users can’t hover their cursor over a link to figure out where it goes. And since “nobody types https://,” the only way that most people experience SSL is through either clicking on links or following webpage redirects.

That’s exactly where SSLStrip fits in: since more often than not the website itself is what users look at to determine if something is “secure”, why not just silently strip out all that pesky HTTPS stuff and feed the user HTTP instead? It avoids the “negative feedback of death”, and most users are none the wiser – and it will even change the site’s favicon to a picture of a lock, just in case.

While the actual attack isn’t that simple, of course, it is pretty close. There are a few additional things – such as handling compression and manipulating users’ cookies – that SSLStrip also performs to make sure the attack works; in his own testing Marlinspike says he grabbed 117 e-mail accounts, 16 credit card numbers, and 7 PayPal logins – all with having absolutely no user response.

So let this be a warning: the only way you know if your session on a website is secure is by looking specifically for the https:// prefix. Be careful when you log in to a site from a public network, because unless you go mucking through a page’s source code, you can never really be sure if the login process is secure or not.

"A lot of people pay zero for the cellphone ... That's what it's worth." -- Apple Chief Operating Officer Timothy Cook
Related Articles

Latest Blog Posts
Around the World
Saimin Nidarson - Feb 18, 2017, 5:48 AM
News of Future
Saimin Nidarson - Feb 17, 2017, 6:30 AM
Some News
Saimin Nidarson - Feb 14, 2017, 5:36 AM
What's New?
Saimin Nidarson - Feb 10, 2017, 6:15 AM
Unleashed News
Saimin Nidarson - Feb 9, 2017, 6:00 AM
Eye catching news
Saimin Nidarson - Feb 8, 2017, 6:16 AM
Some World News
Saimin Nidarson - Feb 7, 2017, 6:15 AM
Today’s news
Saimin Nidarson - Feb 6, 2017, 10:11 AM
Some News
Saimin Nidarson - Feb 5, 2017, 7:27 AM
Notes and News
Saimin Nidarson - Feb 4, 2017, 5:53 AM
World News
Saimin Nidarson - Feb 3, 2017, 5:30 AM
Gadget News
Saimin Nidarson - Feb 2, 2017, 7:00 AM
News Around The World.
Saimin Nidarson - Feb 1, 2017, 7:20 AM
Some News
Saimin Nidarson - Jan 31, 2017, 7:57 AM
Tips of Today
Saimin Nidarson - Jan 30, 2017, 6:53 AM
What is new?
Saimin Nidarson - Jan 29, 2017, 6:26 AM

Copyright 2017 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki