Print 17 comment(s) - last by .. on Mar 6 at 8:56 AM

New tool silently undoes SSL behind users' backs

Secure Socket Layer and HTTPS, the bread and butter of internet website security, certainly seem to be getting a bad rap lately – and now they’re about to receive yet another blow: SSLStrip, a man-in-the-middle attack tool for spying on and screwing with SSL web sessions, was released Tuesday – and prematurely to boot.

Despite the fact that SSLStrip’s webpage was unfinished, an unknown hacker managed to guess the tool’s download URL and in turn had it broadcasted on Slashdot for all to see. SSLStrip’s author, Moxie Marlinspike, then quickly cleaned up the webpage and gave it a full release.

SSLStrip was originally unveiled during the recently-concluded Black Hat DC computer security conference, in a presentation titled, “New Tricks for Defeating SSL in Practice.”

So how exactly does it work? SSLStrip uses a well-known technique called “ARP Poison Routing” to fool a computer on a network into routing all its traffic through the hacker's machine, after which the user is presented with an environment that he or she may think is an HTTPS browser session – but actually isn’t. This is reinforced by what Marlinspike calls a switch from “positive” to “negative” feedback: whereas once upon a time web browsers informed users of a successful SSL session through a prevalence of little lock icons and colored URL bars (a.k.a. “positive reinforcement”), they now choose to present users with error messages when something is wrong (“negative reinforcement”).

Complicating this is the fact that most sites use a button on login forms, so users can’t hover their cursor over a link to figure out where it goes. And since “nobody types https://,” the only way that most people experience SSL is through either clicking on links or following webpage redirects.

That’s exactly where SSLStrip fits in: since more often than not the website itself is what users look at to determine if something is “secure”, why not just silently strip out all that pesky HTTPS stuff and feed the user HTTP instead? It avoids the “negative feedback of death”, and most users are none the wiser – and it will even change the site’s favicon to a picture of a lock, just in case.

While the actual attack isn’t that simple, of course, it is pretty close. There are a few additional things – such as handling compression and manipulating users’ cookies – that SSLStrip also performs to make sure the attack works; in his own testing Marlinspike says he grabbed 117 e-mail accounts, 16 credit card numbers, and 7 PayPal logins – all with having absolutely no user response.

So let this be a warning: the only way you know if your session on a website is secure is by looking specifically for the https:// prefix. Be careful when you log in to a site from a public network, because unless you go mucking through a page’s source code, you can never really be sure if the login process is secure or not.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: Interesting
By JediJeb on 3/4/2009 2:06:31 PM , Rating: 2
The only indicator of https I get is the https and the lock icon in the lower right of my browser. I just tried it at both Chase and Citibank credit card sites and my bank and no change in the color of the URL Field at all. Do these companies not use SSL or is my browser not set up right. At home I believe the same thing happens and I am using the newest Firefox browser. Honestly I don't ever remember a change in the color of the URL Field. Or is this something that only works if using Vista, since I don't have that yet?

"You can bet that Sony built a long-term business plan about being successful in Japan and that business plan is crumbling." -- Peter Moore, 24 hours before his Microsoft resignation
Related Articles

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki