SSL Issues: From Man-in-the-Middle Attacks to Hackers

Saturday, April 16, 2011

Dan Dieterle

B64e021126c832bb29ec9fa988155eaf

There was a very good article this week in The Register that talks about the issues with SSL.

We have been taught over the years that if the website you are visiting uses HTTPS (instead of the standard HTTP address) and you have a little lock icon show up in your browser, then your web frolicking is safe and encrypted.

But that may not necessarily be true.

Security researcher Moxie Marlinspike has shown time and again that SSL can be intercepted and the encryption bypassed.

One would just have to look at his program SLLstrip to see this in action.

It works as a man-in-the-middle attack and takes your request for an HTTPS encrypted site, and basically steps in between the process, creating the encrypted link with the target system, but communicating to your system completely unencrypted.

I saw a presentation once by Moxie where he talked about running SSLstrip on a Tor exit node (Tor is a program used for surfing anonymously online).

He then mentioned all the passwords, and credit card numbers that SSLstrip was able to pull from Tor users and save in plain text (You don’t shop using Tor do you?).

He also talked about the inherent weaknesses of SLL, which was also the topic of The Register’s article.

According to the article, hacker attacks aside, there seems to be little verification checking before certificates are handed out.

For example, in 2008 Mike Zusman from the security firm Intrepidus Group was able to purchase a certificate for Microsoft’s Live.com domain. In the same year a separate researcher was able to purchase a certificate for Mozilla.com.

But that is just a few that slipped by right?

Not necessarily:

Last week, an analyst from the Electronic Frontier Foundation found that CAs have issued more than 37,000 SSL credentials for so-called unqualified domain names, such as “localhost,” “exchange,” and “exchange01.” These are the prefixes that many organizations append to their domains and use to designate Microsoft exchange servers and other internal resources.

When you add in reports of foreign hackers stealing certificates & creating fake certificates and also hardware devices that perform SSL man-in-the-middle attacks, it sounds like SSL is really in need of an overhaul.

Cross-posted from Cyber Arms

Possibly Related Articles:
7698
Vulnerabilities
Information Security
Encryption SSL Digital Certificates HTTPS Man-In-The-Middle SSLstrip
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.