Website encryption has sustained another body blow, this time by an independent hacker who demonstrated a tool that can steal sensitive information by tricking users into believing they're visiting protected sites when in fact they're not.

Unveiled Wednesday at the Black Hat security conference in Washington, SSLstrip works on public Wi-Fi networks, onion-routing systems, and anywhere else a man-in-the-middle attack is practical. It converts pages that normally would be protected by the secure sockets layer protocol into their unencrypted versions. It does this while continuing to fool both the website and the user into believing the security measure is still in place.

The presentation by a conference attendee who goes by the name Moxie Marlinspike is the latest demonstration of weaknesses in SSL, the encryption routine websites use to prevent passwords, credit card numbers, and other sensitive information from being sniffed while in transit. Similar to side jacking attack from 2007 and last year's forging of a certificate authority certificate, it shows the measure goes only so far.

"The attack is, as far as I know, quite novel and cool," said fellow researcher Dan Kaminsky, who attended the Black Hat presentation. "The larger message of Moxie's talk is one that a lot of people have been talking about actually for a few years now: This SSL thing is not working very well."

Marlinspike said SSLstrip is able to work because the vast majority of sites that use SSL begin by showing visitors an unencrypted page and only offer the protection for sections where sensitive information is transmitted. When a user clicks on a login page, for instance, the tool alters the site's unencrypted response so the "https" is changed to "http." The website, however, continues to operate under the assumption the connection is encrypted.

Two-fold Technique

SSLstrip manages to fool the user into believing he has an encrypted connection with the intended website through several clever slights on hand. First, the tool uses a proxy on the local area network that contains a valid SSL certificate, causing the browser to display an "https" in the address bar.

Second, it uses homographic techniques to create a long URL that includes a series of fake slash marks in the address. (To prevent browsers from converting the characters to punycode, he had to obtain a domain-validated SSL wildcard cert for *.ijjk.cn).

"The diabolical thing is it looks like https://gmail.com," Marlinspike told The Register. "The problem is this bridge between http and https and that is a fundamental part of how SSL is deployed on the web. Changing that is not gong to be easy."

Marlinspike has successfully used the ruse on people using both the Firefox and Safari browsers. While he hasn't tested it on Internet Explorer, he assumes the technique works there too. And even if it doesn't, he says there's plenty of reason to believe even security-cautious users don't take the time to ensure their sessions are encrypted.

To prove his point, he ran SSLstrip on a server hosting a Tor anonymous browsing network. During a 24-hour period, he harvested 254 passwords from users visiting sites including Yahoo, Gmail, Ticketmaster, PayPal, and LinkedIn. The users were fooled even though SSLstrip wasn't using the proxy feature that tricks them into believing they were at a secure site. Sadly, the Tor users entered passwords even though the addresses in their address bars didn't display the crucial "https." (Marlinspike said he later disposed of all personally identifiable information).

The attack is sure to touch off more head-scratching at places like Mozilla, Microsoft and VeriSign, where engineers have been wrestling with ways to make the SSL process more reliable. The easiest countermeasure is for users to type the entire https address into a browser (or better yet store it in a bookmark) so a tool like SSLstrip never gets a chance to alter a website's unencrypted link.

Additionally, although we've questioned the need for so-called extended validation SSL in the past, the new-fangled measure is one way to prevent users from being tricked by SSLstrip's proxy ruse.

EVSSL still won't protect users who don't take the time to look for an https in their browser's address bar each and every time they log in. And even if they did, many websites - take Wachovia's, for example - don't bother to display an https on login pages, so there would be no way for users at this site to know they were under attack until it was too late.

Marlinspike, who in 2002 demonstrated a separate https-busting tool called SSLSniff, said he sees no viable fix for the vulnerability, which he adds can be exploited in several additional ways he has yet to disclose.

"The ultimate solution," he said, "is to encrypt everything." ®

Related stories

• WhisperSystems creates 'suicide pill' for phones (28 January 2014)

  https://www.theregister.com/2014/01/28/whispersystems_creates_suicide_pill_for_phones/

• Twitter crypto purchase leaves Egypt dissidents in lurch (28 November 2011)

  https://www.theregister.com/2011/11/28/twitter_buys_whisper_systems/

• Google: SSL alternative won't be added to Chrome (8 September 2011)

  https://www.theregister.com/2011/09/08/google_chrome_rejects_convergence/

• World ostracizes firm that issued bogus Google credential (30 August 2011)

  https://www.theregister.com/2011/08/30/fraudulent_google_cert_update/

• Want an untracked Android? Here’s how (5 May 2011)

  https://www.theregister.com/2011/05/05/marlinspike_kills_android_tracking/

• How is SSL hopelessly broken? Let us count the ways (11 April 2011)

  https://www.theregister.com/2011/04/11/state_of_ssl_analysis/

• Free Android encryption comes to Egypt (10 February 2011)

  https://www.theregister.com/2011/02/10/android_encryption_egypt/

• VeriSign SSL certs open to tampering, competitor warns (24 June 2010)

  https://www.theregister.com/2010/06/24/verisign_comodo_ssl_flap/

• RSA says it fathered orphan credential in Firefox, Mac OS (6 April 2010)

  https://www.theregister.com/2010/04/06/mysterious_mozilla_apple_certificate/

• Privacy service knocked offline by 'no bullsh*t' registrar (5 April 2010)

  https://www.theregister.com/2010/04/05/googlesharing_cert_revoked/

• Your health, tax, and search data siphoned (23 March 2010)

  https://www.theregister.com/2010/03/23/side_channel_attacks_web_apps/

• Wiseguys net $25m in ticket scalping racket (1 March 2010)

  https://www.theregister.com/2010/03/01/ticket_scalping_hack/

• Tor software updated after hackers crack into systems (22 January 2010)

  https://www.theregister.com/2010/01/22/tor_security_update/

• Google flips default switch for always-on Gmail crypto (13 January 2010)

  https://www.theregister.com/2010/01/13/gmail_default_encryption/

• Fix finalized for SSL protocol hole (8 January 2010)

  https://www.theregister.com/2010/01/08/ssl_fix/

• Cisco and Juniper 'clientless' VPNs expose netizens (30 November 2009)

  https://www.theregister.com/2009/11/30/vpn_authentication_weakness/

• Researcher busts into Twitter via SSL reneg hole (14 November 2009)

  https://www.theregister.com/2009/11/14/ssl_renegotiation_bug_exploited/

• Tech titans meet in secret to plug SSL hole (5 November 2009)

  https://www.theregister.com/2009/11/05/serious_ssl_bug/

• Man banished from PayPal for showing how to hack PayPal (6 October 2009)

  https://www.theregister.com/2009/10/06/paypal_banishes_ssl_hacker/

• IE, Chrome, Safari duped by bogus PayPal SSL cert (5 October 2009)

  https://www.theregister.com/2009/10/05/fraudulent_paypay_certificate_published/

• SSL spoof bug still haunts IE, Safari, Chrome (1 October 2009)

  https://www.theregister.com/2009/10/01/microsoft_crypto_ssl_bug/

• Brute-force attacks target two-year hole in Yahoo! Mail (18 September 2009)

  https://www.theregister.com/2009/09/18/ongoing_yahoo_mail_attacks/

• Wildcard certificate spoofs web authentication (30 July 2009)

  https://www.theregister.com/2009/07/30/universal_ssl_certificate/

• Researchers poke holes in super duper SSL (28 March 2009)

  https://www.theregister.com/2009/03/28/ev_ssl_spoofing/

• Firefox went ton up in bugs in 2008 (5 March 2009)

  https://www.theregister.com/2009/03/05/secunia_security_stats/

• Firefox update tackles critical memory bugs (5 March 2009)

  https://www.theregister.com/2009/03/05/firefox_update/

• VeriSign remedies massive SSL blunder (kinda, sorta) (9 January 2009)

  https://www.theregister.com/2009/01/09/verisign_ssl_remedy/

• Boffins bust web authentication with game consoles (30 December 2008)

  https://www.theregister.com/2008/12/30/ssl_spoofing/

• Web who's who botches secure sockets layer (15 December 2008)

  https://www.theregister.com/2008/12/15/flawed_ssl_certs/

• CookieMonster nabs user creds from secure sites (11 September 2008)

  https://www.theregister.com/2008/09/11/cookiemonstor_rampage/

• VPN security - if you want it, come and get it (1 September 2008)

  https://www.theregister.com/2008/09/01/openvpn_primer/

• Google gives GMail always-on encryption (25 July 2008)

  https://www.theregister.com/2008/07/25/gmail_adds_https_only/

• 'Secure' PayPal page is... you guessed it (16 May 2008)

  https://www.theregister.com/2008/05/16/paypal_page_succumbs_to_xss/

• Et tu, Gmail? Simple hack defeats last barrier to decades-old attack (1 February 2008)

  https://www.theregister.com/2008/02/01/google_ssl_sidejacking/

• A US CERT reminder: The net is an insecure place (8 September 2007)

  https://www.theregister.com/2007/09/08/security_group_warns_of_web_vulnerabity/

• Flash: Public Wi-Fi even more insecure than previously thought (2 August 2007)

  https://www.theregister.com/2007/08/02/public_wifi_hack/