Feeds

Hacker pokes new hole in secure sockets layer

Moxie Marlinspike's man-in-the-middle

Choosing a cloud hosting partner with confidence

Two-fold Technique

SSLstrip manages to fool the user into believing he has an encrypted connection with the intended website through several clever slights on hand. First, the tool uses a proxy on the local area network that contains a valid SSL certificate, causing the browser to display an "https" in the address bar.

Second, it uses homographic techniques to create a long URL that includes a series of fake slash marks in the address. (To prevent browsers from converting the characters to punycode, he had to obtain a domain-validated SSL wildcard cert for *.ijjk.cn).

"The diabolical thing is it looks like https://gmail.com," Marlinspike told The Register. "The problem is this bridge between http and https and that is a fundamental part of how SSL is deployed on the web. Changing that is not gong to be easy."

Marlinspike has successfully used the ruse on people using both the Firefox and Safari browsers. While he hasn't tested it on Internet Explorer, he assumes the technique works there too. And even if it doesn't, he says there's plenty of reason to believe even security-cautious users don't take the time to ensure their sessions are encrypted.

To prove his point, he ran SSLstrip on a server hosting a Tor anonymous browsing network. During a 24-hour period, he harvested 254 passwords from users visiting sites including Yahoo, Gmail, Ticketmaster, PayPal, and LinkedIn. The users were fooled even though SSLstrip wasn't using the proxy feature that tricks them into believing they were at a secure site. Sadly, the Tor users entered passwords even though the addresses in their address bars didn't display the crucial "https." (Marlinspike said he later disposed of all personally identifiable information).

The attack is sure to touch off more head-scratching at places like Mozilla, Microsoft and VeriSign, where engineers have been wrestling with ways to make the SSL process more reliable. The easiest countermeasure is for users to type the entire https address into a browser (or better yet store it in a bookmark) so a tool like SSLstrip never gets a chance to alter a website's unencrypted link.

Additionally, although we've questioned the need for so-called extended validation SSL in the past, the new-fangled measure is one way to prevent users from being tricked by SSLstrip's proxy ruse.

EVSSL still won't protect users who don't take the time to look for an https in their browser's address bar each and every time they log in. And even if they did, many websites - take Wachovia's, for example - don't bother to display an https on login pages, so there would be no way for users at this site to know they were under attack until it was too late.

Marlinspike, who in 2002 demonstrated a separate https-busting tool called SSLSniff, said he sees no viable fix for the vulnerability, which he adds can be exploited in several additional ways he has yet to disclose.

"The ultimate solution," he said, "is to encrypt everything." ®

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.