Feeds

Hacker pokes new hole in secure sockets layer

Moxie Marlinspike's man-in-the-middle

The Power of One eBook: Top reasons to choose HP BladeSystem

Website encryption has sustained another body blow, this time by an independent hacker who demonstrated a tool that can steal sensitive information by tricking users into believing they're visiting protected sites when in fact they're not.

Unveiled Wednesday at the Black Hat security conference in Washington, SSLstrip works on public Wi-Fi networks, onion-routing systems, and anywhere else a man-in-the-middle attack is practical. It converts pages that normally would be protected by the secure sockets layer protocol into their unencrypted versions. It does this while continuing to fool both the website and the user into believing the security measure is still in place.

The presentation by a conference attendee who goes by the name Moxie Marlinspike is the latest demonstration of weaknesses in SSL, the encryption routine websites use to prevent passwords, credit card numbers, and other sensitive information from being sniffed while in transit. Similar to side jacking attack from 2007 and last year's forging of a certificate authority certificate, it shows the measure goes only so far.

"The attack is, as far as I know, quite novel and cool," said fellow researcher Dan Kaminsky, who attended the Black Hat presentation. "The larger message of Moxie's talk is one that a lot of people have been talking about actually for a few years now: This SSL thing is not working very well."

Marlinspike said SSLstrip is able to work because the vast majority of sites that use SSL begin by showing visitors an unencrypted page and only offer the protection for sections where sensitive information is transmitted. When a user clicks on a login page, for instance, the tool alters the site's unencrypted response so the "https" is changed to "http." The website, however, continues to operate under the assumption the connection is encrypted.

Designing a Defense for Mobile Applications

Next page: Two-fold Technique

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.