SSLStrip Now In the Wild

An anonymous reader writes "Moxie Marlinspike, who last week presented his controversial SSL stripping attacks at Black Hat Federal, appears to have released his much-anticipated demonstration tool for performing MITM attacks against would-be SSL connections. This vulnerability has been met with everything from calls for more widespread EV certificate deployment to an even more fervent push for DNSSEC."

Alternatives

[jetsci]

I guess the question then is, what do we use as an alternative? What can we even do?

Re:Alternatives

dude at informationweek wrote this. looks like not much end users can do.

Re:Alternatives

I guess the question then is, what do we use as an alternative? What can we even do?

IP over Avian Carriers! I'd like to see them do a man in the middle attack on PIGEONS!

Re:Alternatives

[jetsci]

First off, SSL isn't broken and Marlinspike doesn't say that, either. What is broken is how users perceive a secure Web session from an insecure one.

Apparently this only affects those who don't pay attention...nothing to see here.

Re:Alternatives

[jetsci]

It's called a shotgun.

Re:Alternatives

[tick-tock-atona]

These guys now have your credit card number, and the passwords to your email and bank accounts. The good looking one on the right also has your girlfriend's email & phone number.

Re:Alternatives

[jetsci]

But did he get the combination number to her chastity belt? I haven't actually seen the thing but it must exist since I can't get anywhere near there...

Re:Alternatives

[hal9000(jr)]

Apparently this only affects those who don't pay attention...nothing to see here.

Can you make the claim you are 100% vigilant 100% of the time?

It's more subtle than that. It takes away one of the biggest indicators that there is an SSL problem--the dialogs. Watch the presentation video. It's pretty cool. What Moxie shows is that often the indicators of SSL enabled and not enabled are practically non-existent. It's easy to see how most users, even tech savvy ones, could be fooled.

Re:Alternatives

[arndawg]

dude at informationweek wrote this. looks like not much end users can do.

I see he uses ARP-Spoofing to re-route the traffice via the infected host. A good managed switch comes a long way in defeating arp-juggling I guess.

Re:Alternatives

[SuperNothing307]

Check to see if the URL to the site begins with http:/// before you login. If it does, and it's displaying a padlock icon (suggesting that it is 'secure'), then you're being attacked. Really, you should already be wary when a site asks you for login information over HTTP rather than HTTPS.

Also, as interesting as this attack is, it should be noted that it does require the attacker to have network access (so he can perform the MITM attack, usually through ARP spoofing). There are a number of ways to fight arp spoofing, but if you're on a small network, just set static arp tables on your machines and you've done pretty much all you can do. The attacker can still attempt to get access at your ISP and on the other end, at the web host, but handling that much traffic without being noticed would be difficult, so I doubt one would try it. (and I'm sure someone will now prove me wrong...:P)

Re:Alternatives

[Lostlander]

Watch out for Packet Loss It can be quite high in certain areas especially if you're rural. Also be aware of Hackers

Re:Alternatives

[3p1ph4ny]

Check to see if the URL to the site begins with http:/// [http] before you login. If it does, and it's displaying a padlock icon (suggesting that it is 'secure'), then you're being attacked. Really, you should already be wary when a site asks you for login information over HTTP rather than HTTPS.

Even this doesn't work. Legitimate banks do this (http://www.usbank.com is one, who I've banked with in some fashion since I had a net worth of over $50). Note that after you type your username in, you're taken to a secure page.

Re:Alternatives

[Creepy+Crawler]

And a lot of managed switches are garbage. Basic attacks of fake arp requests will easily overload these kinds of switches.

And ARP poisoning sill is very effective.

Re:Alternatives

[Lord+Ender]

We don't need an alternative to SSL. We need browsers to implement proper UI. The user MUST be made aware if clicking a button would transmit a password in cleartext. The user MUST be made aware exactly which domain they are connected to during an SSL session. On a large busy screen, a tiny bit of text in a corner is the wrong way to do this.

Re:Alternatives

[jiriw]

So much for RFC 1149 and 2549 ... Guess I need to upgrade then. Now where did I leave that 300bd modem. It should somewhere over ...[CARRIER SHOT]

Re:Alternatives

that's when you just type in: https://www.usbank.com
I've done this with google (before it was doing SSL)
sometimes I'll put in a gibberish username just to be taken to the https page.

Re:Alternatives

[dachshund]

Check to see if the URL to the site begins with http:/// before you login. If it does, and it's displaying a padlock icon (suggesting that it is 'secure'), then you're being attacked. Really, you should already be wary when a site asks you for login information over HTTP rather than HTTPS.

Try Wachovia's site: http://wachovia.com/

Lock icon: check.
Unsecured HTTP page: check.

I don't have a Wachovia account, so I can only assume that the actual UID/password info goes over SSL, but that's irrelevant to this attack.

Re:Alternatives

actually if any of you guys payed ANY attention you'dt notice this lil tibit of info

" Marlinspike's SSLstrip sits on a local network and intercepts traffic. When it detects an encrypted HTTPS (Hypertext Transfer Protocol Secure) site, it automatically substitutes a look-alike of the intended destination as an unencrypted HTTP site. That switching trick strips away the security that prevents a third party from stealing or modifying data, while telling the server that an encrypted page has been sent.

To better impersonate the security measures some users have come to expect, "SSLstrip" even adds a padlock icon that appears beside the URL, offering users a false sense that they can safely input secure information. "People seem to like the padlock," Marlinspike says. "

Re:Alternatives

[spartacus_prime]

Better call a locksmith.

Re:Alternatives

[Onymous+Coward]

Slashdotters from the prior related story suggested the following tweaks to make SSL connections more obvious and identified:

    Site name in "Site ID Button":
        http://news.cnet.com/8301-13554_3-9974672-33.html
    Yellow background in address bar:
        http://news.cnet.com/8301-13554_3-9974221-33.html

Re:Alternatives

[maxume]

End users can demand and use a https only browser (it could also include domain whitelisting.).

I suppose that isn't a trade off that people will want to make, but it isn't that hard to categorically prevent the attack.

Re:Alternatives

[QuoteMstr]

Nifty. Thanks.

Re:Alternatives

[Flendon]

For those who don't like to verify there connection themselves can just use Firefox 3.0. If the site really is secure the background of the favicon changes to blue or green depending on how trusted the certificate is. So when the background of the padlock doesn't change color you will know it is fake.

Re:Alternatives

[Dekortage]

Really, you should already be wary when a site asks you for login information over HTTP rather than HTTPS.

Maybe. The login form might be located on an HTTP page, but as long as the form submits to an HTTPS page, your login credentials are still SSL-encrypted. Conversely, if you have an HTTPS login form, but the form action goes to an HTTP site, your credentials are NOT encrypted.

Re:Alternatives

[SuperNothing307]

If you're using Firefox, unlike in the demonstration shown on the sslstrip site, it will show you where the link on a button goes to. Make sure that the mouseover link says https:/// and you should at least be better off. Although, then you can start doing things with javascript to change what the mouseover property displays, so there's still room for an attack I guess. Like I said, better to just make sure that there isn't a MITM and its not a problem.

On a side note, I did notice though that Bank of America (a site he showed off the attack on) has since made their home page SSL encrypted. Good for them.

Re:Alternatives

We don't need an alternative to SSL. We need browsers to implement proper UI. The user MUST be made aware if clicking a button would transmit a password in cleartext. The user MUST be made aware exactly which domain they are connected to during an SSL session. On a large busy screen, a tiny bit of text in a corner is the wrong way to do this.

That means: browsers should, by default, ship tools such as TamperIE which will show you all data being sent from your browser ?

Re:Alternatives

[Lord+Ender]

Absolutely not! Overload a user with information and you get a trained clicker. Only unencrypted authentication information should trigger warning/are-you-sure UI.

Re:Alternatives

[Al+Al+Cool+J]

That will protect you from the attack vector he created FIVE years ago.

With this new attack, you do see an https://yourbank.com/blahblahblah URL and it comes with a valid certificate.

To protect against this attack, you have START your browser session by entering the correct https URL. If you start with http and only get to https by following a link or redirect, then you could already be 0wned.

Re:Alternatives

[tom17]

Lock icon? No.

Re:Alternatives

RFC 2549 is fundamentally flawed, with substantial vulnerability to session hijacking and 911 attacks. The vulnerabilities were in fact so overwhelming for the highest QOS level that Concorde QOS has since been discontinued.

Re:Alternatives

[SuperNothing307]

While telltale signs of the switch remain â" the Web address starts with HTTP rather than HTTPS â" most users do not even notice.

http://www.securityfocus.com/brief/910

From everything I've read about this attack, it does not present an https:/// URL on unencrypted traffic, just attempts to trick you into thinking it is encrypted by covertly changing all the https:/// links to http:/// and presenting a padlock favicon on supposedly encrypted sites. It mainly relies on the hope that you don't notice the http:/// link. I would be interested to hear where you have seen otherwise though.

Re:Alternatives

[Ark42]

How about just having browsers refuse to submit <input type="password"> fields unless the source page and submit page are the same domain, and the submit page is secure.

Re:Alternatives

[daveewart]

The login form might be located on an HTTP page, but as long as the form submits to an HTTPS page, your login credentials are still SSL-encrypted.

In general, yes, but one of the 'tricks' of sslstrip is that it changes the content of the HTTP-served page so that the (formerly) HTTPS submission page is no longer HTTPS, but HTTP.

Re:Alternatives

[Al+Al+Cool+J]

I watched the video presentation which another poster linked to. One you MITM the http session, you can proxy the SSL login page using a modified https url for which you do have a valid certificate. The users get a valid https page, only not for the domain they think it is, but the url deception is so slick it's hard to imagine anyone spotting it.

This is an improvement over the older version which worked in the way you described (and which BTW he found to be 100% effective in fooling people based on a limited trial on a TOR network - which is also scary).

Re:Alternatives

[russotto]

Even this doesn't work. Legitimate banks do this (http://www.usbank.com is one, who I've banked with in some fashion since I had a net worth of over $50). Note that after you type your username in, you're taken to a secure page.

Legitimate banks do it, but they shouldn't. At least usbank.com isn't asking for the password on the unsecured site. But just because they do it doesn't mean you should put up with it -- https://www.usbank.com also works, and really is secure.

Re:Alternatives

[mrcaseyj]

>as long as the form submits to an HTTPS page, your login credentials are still SSL-encrypted.

No, If any part of a page is not encrypted then an attacker can effectively strip all encryption from the entire page. See this page from a Microsoft Internet Explorer programmer: http://blogs.msdn.com/ie/archive/2005/04/20/410240.aspx
and this page about airpwn where attendees at a security conference had the images in their web pages turned upside down.
http://www.informit.com/guides/content.aspx?g=security&seqNum=158

Say for example you're using an unsecured wireless access point at an Internet cafe. There can be an attacker five miles away with a high gain antenna listening for someone to log into their bank by a login page that only encrypts the password. When your computer sends out the request for your bank's page, if the hacker's computer is fast enough, it can impersonate the wireless access point and send a version of your bank's login page with the password encryption stripped and the password redirected to whatever computer your attacker wants. When the real server finally responds to your request a few milliseconds later, your computer will think it's a mistaken duplicate and ignore it. This is not a theoretical attack, it has been publicly demonstrated. Your first login attempt may fail as the password is redirected to the attacker, but once your attacker has your password, he can return things to normal so your second login attempt will succeed. You'll just think you mistyped the password on the first try.

Re:Alternatives

[Dekortage]

No, If any part of a page is not encrypted then an attacker can effectively strip all encryption from the entire page.

You're right, and thanks for the links. Though, this seems to be more a problem with scripting vulnerabilities and MITM attcks than with HTTPS specifically.

I also thnk that browsers just should not allow a form on a not-fully-HTTPS page to submit to a HTTPS URL.

Re:Alternatives

[Ashriel]

What can we even do?

Look for both https:/// and a company-specific logo in the address bar. We can't trust generic padlock symbols anymore.

Of course, if a hacker is targeting only a specific site, he'll just use that logo. But there's better ways to target a single business than using SSLStrip.

The best thing you can do is manually type the https:/// in yourself. This simple act appears to defeat SSLStrip. I've got all my secure logins bookmarked with https addresses now.

Re:Alternatives

[complete+loony]

That's a pretty good idea. Show a little red open / green closed padlock in the corner of every password field based on the protocol of the receiving page.

Re:Alternatives

[Mozk]

No, mousing over input buttons in Firefox does not display the form's action URL.

Re:Alternatives

[SuperNothing307]

Yeah, you're right. My bad. Someone at Bank of America must have seen that demo and added in some javascript to do that.

Re:Alternatives

[Mozk]

Passwords are not the only thing people encrypt.

Re:Alternatives

[evilviper]

after you type your username in, you're taken to a secure page.

There's a simple solution for 99.99% of sites like this.

Leave the form blank, and click on the (LOGIN) button anyhow.

THEN you will be taken to a SECURE page, where you can safely enter private information.

Just because USBank is careless and stupid, doesn't mean you have to be.

Re:Alternatives

[kybred]

Your first login attempt may fail as the password is redirected to the attacker, but once your attacker has your password, he can return things to normal so your second login attempt will succeed. You'll just think you mistyped the password on the first try.

That's why I always type my password in wrong on purpose the first time!

Re:Alternatives

When did Slashdot get overwhelmed by MySpace users?

The login posts to a secure page. If you are not clued up enough to know how to view source and examine a element you probably shouldn't be postulating on this article.

If you think a picture of a padlock on a website you are looking for is indicative of any sort of security you probably shouldn't be using the internet unsupervised.

And this is not an "attack", it's nonsense posted by some other MySpacer who has seen Hackers too many times and wanted to see his name in print.

Re:Alternatives

[@madeus]

I think that's a load of bollocks.

Link to ONE legitimate bank that uses HTTP (rather than HTTPS) when transmitting login details. ONE.

Re:Alternatives

[Talennor]

Note that after you type your username in, you're taken to a secure page.

No, you might be taken to a secure page. It's hard to tell and you can't trust that somebody hasn't messed with the connection yet.

But just because banks are doing it doesn't make it smart. It's really a bad and insecure practice. The fact that my bank, Wachovia, has one of these insecure logins on their homepage makes me worry about my account and information. Though I don't use that login. You can find one that actually uses SSL deeper on the site (or https to the exact same homepage kind of works too).

Re:Alternatives

[Simetrical]

We don't need an alternative to SSL. We need browsers to implement proper UI. The user MUST be made aware if clicking a button would transmit a password in cleartext. The user MUST be made aware exactly which domain they are connected to during an SSL session. On a large busy screen, a tiny bit of text in a corner is the wrong way to do this.

And yet we don't live in Imaginary-Land where users and administrators make careful decisions all the time. If you pop up a box every time users submit their credentials in plaintext, users will completely ignore the box. Period.

For real security on the general Internet, you need a solution that always work, without user knowledge.

Re:Alternatives

[bhiestand]

s/there/their... also, it only changes the background of the favicon by the URL bar. It doesn't affect the favicon displayed in tabs, which is the one most of us tend to notice.

Re:Alternatives

[Mozk]

I don't get a tooltip on their site, and I don't see anything in the code. In any case, they are stupid if they added that because there is no security gained by doing so. The attacks detailed could just add it themselves, and there's nothing that says that the tooltip has to match the actual location anyway.

Re:Alternatives

[SuperNothing307]

Well, I do, Firefox 3 on Ubuntu. Don't know what to tell you. I agree, doesn't really increase security all. But it sure does make people feel safe, and that's what really matters, right? :P

Re:Alternatives

[Mozk]

Heh, maybe I'm just being MITMed.

Sounds ugly

[indi0144]

can anyone care to explain this for the unwashed masses? I was just starting to use SSL for my home server hoping to learn to use it for my clients servers. Is this so bad as it sounds? ty

Re:Sounds ugly

[cosmocain]

Is this so bad as it sounds?

Technical: Yes.
Real-world-home-server: No.

Talk about choices...

Re:Sounds ugly

[^BR]

You could also try to read about it... The problem is not with SSL, it's with an attacker redirecting the traffic before it is in SSL, as your typical banking session usually start in plain HTTP. People then fail to understand the visual clues given by their browser. This attack is a nice technical MITM/social engineering mix, countermeasures are not really purely technical, if banks stopped to be cheap and did all their serving over HTTPS there would not be any HTTP traffic to modify in the first place...

Re:Sounds ugly

[morgan_greywolf]

Normal:
You <-----HTTP-----> Bank
You <---HTTP---Bank Redirects to---> Bank SSL
You <--HTTP+SSL--->Bann

pwn3ed:
You <----HTTP---> MITM <----> Bank
You <----HTTP---> MITM <--Redirects to MITM fake SSL---> Bank
You <----HTTP ---> MITM

Re:Sounds ugly

[Elledan]

In essence one could say that the issue in this case is _not_ with SSL, but with HTTP, and similar protocols which have never considered security except as an afterthought (HTTPS is plain HTTP over SSL).

FTPS for example, which is FTP over SSL, is hardly used at all and instead protocols like SCP reign for secure FTP. If people would just stop what they're doing for a moment and realize that the issue is that we're using an inherently unsecure, stateless protocol wrapped inside a security blanket for transactions and communications vital to world economies. In my opinion it would be unfair to say that end users should 'just pay attention'. I know very well that I don't scrutinize everything whenever I'm buying something online or using my bank's web interface.

The solution to this is really to stop using HTTPS for 'secure' access and use something better, even if it means a lot of 'inconvenience'. Seriously, sometimes we all love to play Russian roulette with our finances and more...

Re:Sounds ugly

[hal9000(jr)]

SSL is NOT broken. It is still an effective way to encrypt network traffic.

The attack breaks down two ways. Proxying web traffic between a user and a sensitive site like a bank and/or repsenting a URL to a user that looks legitimate but isn't.

The indicators that you are on an SSL site are varied. A lock in the lower right of the window (FF3), to the right of an address bar (IE 6 and below), or a green address bar (IE7 EV cert) or a green indicator to the left of the address bar (FF3). All except the EV SSL certs are pretty subtle. The success relies on the fact that there are so many varied ways that SSL protection is presented to the user, can you keep track of it all. Quick, which sites use EV certs? You don't know so you don't know what to expect.

So, the attack does a couple of things to fool you. First it proxies your web traffic to secure sites re-writing urls that start with HTTPS to HTTP. The only indicator in browsers is no lock. If you are not looking for it, then you probably won't miss it. But wait, since we are rewriting URL's, why not replace the favicon with a lock. Yummy.

The second type of attack is to proxy HTTPS to HTTPS, but this time the SSL session between you and the proxy is enabled with a valid and trusted SSL certificate. No SSL dialog boxes. Here is how it works. IDN is used so that countries can represent URL in their native character sets. Some non-ascii characters look like characters. So use them to fool the user. These are called homographs. Browsers will convert some IDN based on the TLD. But other TLD, like country codes TLD, the browser won't. The assumption being a .com hostname should be ASCII while a TLD for China should be IDN. Knowing that, get a hostname in a CC TLD. Get a certificate for your hostname. Then create a really long hostname using IDN so that the TLD portion will be pushed off the end of the address bar. You can forge any legitimate web site this way and the only indicator is either examining the certificate or looking at the TLD in the URL. There are IDN that look like slashes, so making a "path" is easy.

Moxies video is pretty clear.

Re:Sounds ugly

[QuoteMstr]

The solution to this is really to stop using HTTPS for 'secure' access and use something better

Let me guess: you think SMTP is to blame to spam, too.

In both cases, the protocol is not the problem. In fact, both protocols are well-designed and effective. Blaming the protocol is a gross oversimplification of the problem and a cop-out. If you were to do enough work to propose a solution, you'd realize that quickly. Any new protocol that did the same job as HTTP or SMTP would run into the same intrinsic problems these protocols face today. You can't pretend these problems will go away if you shuffle some bytes on the wire around and publish a new RFC.

If you want to solve the problem, you need to change the model these protocols embody. What would be your proposed change, exactly?

Re:Sounds ugly

Let me guess: you think SMTP is to blame to spam, too.

I think laziness is to blame to typos.

Re:Sounds ugly

[sam0737]

Though I think if you know that particular IP is that bank, you can still initiate a MITM attack by generating a certificate that supposes to have violated the EV rules. And the crappy client will be more than happy to accept it.

Hey, IPHostname in SSL is almost one to one mapping, if it's not already. There is basically no virtual host in SSL website...

Re:Sounds ugly

[YesIAmAScript]

Thank you for the accurate and lengthy info.

But it seems odd to me this is considered a crisis when the only sure fire way to detect is merely that the URL of the site you are at isn't the site you went to!

I know all the stuff about how international glyphs can look similar, but that still shouldn't be enough to fool people. Few legit sites that you submit personal info to have really long URLs to them, so if you see that the TLD isn't visible, that's a tip off to be on guard right there.

Not the end of the world

[DigitalSorceress]

Reading TFA, it seems to me that there IS something that the end user can do to protect themselves: Look for the https:/// in the address bar and DON'T LOOK THERE (favicon.ico area) FOR THE PADLOCK... the padlock should be down in the statusbar area where it always is.

Out of reflex, I always check that my URL starts with https:/// and I check the cert when I'm dealing with someplace new. Now, I'm just always going to check the cert... even if I'm connecting to a site I use all the time.

If Moxie really wanted to make things tougher, they could maybe add a cert to their tool. THAT would make it so you'd only notice if you read the cert and realized it wasn't what it was supposed to be.

THAT's scary.

Re:Not the end of the world

[IBBoard]

If you read some of the articles (Forbes and a linked one) he can spoof the appearance of a valid certificate as well using International Domain Names. The certificate won't be valid for the site that you wanted, but that won't matter because it'll have redirected you to https://a/ load of characters that look like 'paypal.com/somepath' but are actually non-ASCII characters].evil.com with a wildcard certificate for *.evil.com and look like https://paypal.com/some-path-here-that-is-really-really-really-really-long.evil.com/

For the basic attack then actually checking for HTTPS and a proper validation (not just a padlock, but a padlock and the other markers), but for the fuller attack that takes advantage of the IDN then you'd probably need to read the certificate itself, which would require you to know which certificate you're expecting, which would require something like a page with the signature on saying "look for this", which could then also be spoofed (in cases where it was worth it, e.g. a bank).

Re:Not the end of the world

[QuoteMstr]

The certificate won't be valid for the site that you wanted, but that won't matter because it'll have redirected you to https://a/ load of characters that look like 'paypal.com/somepath' but are actually non-ASCII characters].evil.com with a wildcard certificate for *.evil.com and look like https://paypal.com/some-path-here-that-is-really-really-really-really-long.evil.com/

Hrm. I must have missed that; it's a clever trick. Then again, I've always thought international domain names were gratuitously unnecessary.

The solution to this problem is simple, and I'm surprised browsers don't do this already: add fake '/' character isn't in the IDN blacklist. In Firefox, network.IDN.blacklist_chars already contains plenty of things that look like '/'. Maybe other browsers need to follow its example.

Re:Not the end of the world

[hal9000(jr)]

The solution to this problem is simple, and I'm surprised browsers don't do this already: add fake '/' character isn't in the IDN blacklist. In Firefox, network.IDN.blacklist_chars already contains plenty of things that look like '/'. Maybe other browsers need to follow its example.

Do you know if FF will detect blacklist characters for all TLD's or just the non-IDN TLD's like .com and .net?

Re:Not the end of the world

[Vellmont]

Look for the https:/// in the address bar and DON'T LOOK THERE (favicon.ico area) FOR THE PADLOCK

So great.. you teach everyone to LOOK FOR THE HTTPS, and that means you're safe!

Then, the attackers simply use a variant of the (similar URL method), and are sure to include SSL, so the URL is (for example) https://www.mybank.com.com.cn/ (or whatever fools the user).

Even if you could somehow re-train millions of people successfully to understand one particular attack mode, another one will always be right around the corner.

I'm not sure there is a really good solution to this problem. The obvious solution is a more secure browser. That's better, but the downside is of course the continuous update treadmill.

Re:Not the end of the world

[QuoteMstr]

Another, perhaps more reliable option would be to change how long URLs are displayed.
Right now, if a domain name exceeds the length of the address bar, it's truncated on the right. Consider:
www.paypal.com/foo/bar/qux/sessionid/12341/do.myevildomain.com. If this URL is displayed as:

www.paypal.com/foo/bar/qux/sessionid/123

the user will be fooled. What if, instead, the truncated domain name looked like this?

www.paypal.com/foo/bar/...341/do.myevildomain.com

That way, no matter what evil junk is in the domain name, the user will see both its beginning and end and know something strange is going on.

Re:Not the end of the world

[characterZer0]

What if the address bar highlighted the portion of the address that is the domain name? It would then be obvious if the domain name was being spoofed.

Re:Not the end of the world

[QuoteMstr]

That's another good idea, but I think users might not be alarmed by seeing the entire address bar highlighted in that way as long as it still reads paypal.com/foo/bar/qux/blah/blah/blah. Again, it's the difference between making a security indicator subtle and making it almost impossible to miss.

Re:Not the end of the world

[themacks]

That would be easy to get around as well. Just append junk to the end of the domain. Such as:

www.paypal.com/foo/bar/...341/do.myevildomain.com/?page=securelogin&more=ramdomcrap&people=fallforanything

Then the domain would not be visible and we are back to square one.

Re:Not the end of the world

[QuoteMstr]

No, I'm talking about truncating the domain name in the middle, not the entire URL. Long URLs will still have their path and query-string portions trail off to the right, but the beginning and end of the domain name will always be visible.

Re:Not the end of the world

[chihowa]

I've been playing around with the Windows 7 beta and whatever IE version it uses does that. "domain.tld" is black and the rest of the address is grayed out. I was actually pretty impressed, though I'm not sure how it works with very long addresses.

Re:Not the end of the world

[feepcreature]

The answer is not so much to highlight the domain name (it can be very long in some spoofing URLs). It is to show clearly the [most significant parts of the] top level domain - if necesary in a separate area. HOW it's done is a matter for the browser developers, but the INFORMATION needs to be made clear to users. Highlighting the domain name MAY be one way to do that, but teh answer depends on screen real estate available, user expertise, and other factors.

The end result is no more confusing MyBank.blah.blah.blah.stop.reading.by.here.hacker.com domains.

This information (the domain a link REALLY points at) could also be part of the mouseover for a link (or a link that goes offsite, anyway). Even mail clients that allow you to open links should let users know the domain a link is going to.... never understood why they didn't.

Re:Not the end of the world

[Al+Al+Cool+J]

Still doesn't help if you can also find fake international characters to replace things like ?, & and =. Say the evil domain is 74h34.be, then your evil url could look like:

https://mybank.com/bunch/of/paths/banking.jsp?bunch=of&arguments=here&session=0WjEc.74h34.bE

Now it just looks like an innocent session hash.

Re:Not the end of the world

[QuoteMstr]

Okay, so that will show up as:
https://mybank.com/b...h34.bE/real_path_here
It's clear that something is wrong.

Re:Not the end of the world

[Al+Al+Cool+J]

Except there is no need for a /real_path_here. All the information the MITM needs to do the proxy is contained in the stuff to the left of the domain (ie the subdomain). He can manage the path any way he wants on his webserver using mod_rewrite etc. This is a wickedly nasty attack.

Re:Not the end of the world

[QuoteMstr]

Good point. What about completely stripping punctuation from IDNs?

Re:Not the end of the world

Ff3 puts the domain name on the cert in a highlighted box at the right-hand end of the location bar, so at least it is fairly obvious that the domain on the cert is wrong.

Re:Not the end of the world

[evilviper]

for the fuller attack that takes advantage of the IDN then you'd probably need to read the certificate itself, which would require you to know which certificate you're expecting,

No. You just look next to the padlock icon in the Firefox statusbar, and notice that it says, in no uncertain terms: "www.evil.com"
You realize that you weren't trying to get to www.evil.com, and that the URL isn't showing www.evil.com and are forced to consider that something is very wrong.

Re:Not the end of the world

[drew]

You would have to read the certificate itself, but you wouldn't really have to know that much about the certificate that you are expecting... If you think you are going to secure.paypal.com, and the name on the cert says secure.paypal.com/any-random-collection-of-characters-regardless-of-whether-it-looks-like-a-legit-url.evil.com, you should probably be a little suspicious.

Really, the solution to this is same same to every other "attack" on SSL - Type the URL into the address bar yourself, or click on a bookmark. You just have to pay a little bit more attention when you do it than you used to. The real problem is the people who don't understand why they should care. When the attack on Google was announced a while back, I made my wife change her account settings to only use secure pages, and she made the snide remark, "Oh, No! somebody could have gotten into my email! Oh dear!" I tried to explain to her why she should care, but eventually just gave up and told her it didn't matter whether or not she cared, I was still going to do my best to make sure it didn't happen.

Re:Not the end of the world

[IBBoard]

Really, the solution to this is same same to every other "attack" on SSL - Type the URL into the address bar yourself, or click on a bookmark.

Except for the bit where this exploit, if deployed on your local network, can redirect typed addresses. Yes, the certificate wouldn't match, but a) people don't check that kind of thing, b) people would find it too technical, no matter how simply you explained it, c) people would find it a hassle and think that the computer should do that for them and d) people don't check that kind of thing.

Re:Not the end of the world

[characterZer0]

But the problem here is that the domain is wrong before you make an SSL connection.

Re:Not the end of the world

[rjstanford]

Sounds good... but then you'd just end up with this:

www.paypal.com/foo/bar/qux/sessionid/12341/do.myevildomain.com/foo/bar/qux/sessionid/12341

Which would display like this:

www.paypal.com/foo/bar/.../sessionid/12341

Looks good to me!

Re:Not the end of the world

[jonadab]

I tend to think making the domain name a different color from the rest of the URL would be a useful visual clue.

But, really, most IDNs should just be disabled by default, with only ones in the writing system used for the l10n language (if applicable) enabled out of the box, and a UI in the prefs for enabling IDNs in additional specific writing systems that the user knows how to read. Unless the user is a very accomplished linguist, there's NO good reason for all of Unicode to be supported. The overwhelming majority of users are literate in at most two writing systems, one of which is probably the Latin alphabet (which only even needs IDNs at all if you simply must have diacritical marks).

I mean, even setting aside pretty much the entire Western hemisphere (where if you ask random people on the street to name two alphabets they're probably going to say the English alphabet and the Spanish alphabet), a user in Ukraine probably only needs IDNs in Cyrillic. A user in India probably only needs IDNs in Devanagari and maybe Tamil. A user in Iran probably only needs IDNs in Arabic. And so on.

Security is a social issue. Educate!

[QuoteMstr]

This attack does not break SSL in any way. It simply tricks users into entering sensitive information into unencrypted context.

The solution is user education. We need to train users to look for the browser padlock icon. We need to add browser extensions that heuristically detect credit card numbers being entered into unencrypted sites and to warn the user. We need to train users to click "no" on security dialogs when they appear. We need to tell users that a padlock icon a website puts next to a form is unacceptable. We need to train users to be vigilant, because nasty people are trying to steal their information.

I'd like to see fewer people using self-signed certificates that train users to ignore SSL warnings. I'd like to see public service advertisements. I'd like to see basic computer safety classes in public schools. User education is the only hope we have against stupid users!

The fault lies partly with browsers too. Firefox, particularly, should never have toned-down the non-EV SSL user-interface --- sure, making EV special is fine, but allowing sites to spoof the SSL UI with a favicon is unacceptable. People have been saying this ever since Firefox 3 came out, but maybe now someone will pay attention to us.

Re:Security is a social issue. Educate!

[IBBoard]

We need to train users to look for the browser padlock icon

But this can spoof that as well for many users (and even for Firefox users it might make the unwary feel safe).

We need to add browser extensions that heuristically detect credit card numbers being entered into unencrypted sites and to warn the user.

He also mentions methods for using IDN (Internation Domain Names) and wildcard SSL certificates to spoof HTTPS versions that look even more like the real thing than https://yourbank.com.some.evil.website.com/... (also mentioned here)

I'd like to see fewer people using self-signed certificates that train users to ignore SSL warnings.

I'd like to see that as well, but for that to happen you need to provide a way for low risk and not for profit sites to get certificates that are accepted by browsers but without the fees. I've set up my email (Webmail, IMAP and SMTP) with SSL certificates, but it took some searching to find someone who would give me a free SSL certificate and even then the issuer isn't in most browser's approved list. I'm protecting a small amount of traffic from lazy eavesdroppers, not protecting a financial institution - I don't need the expense and the insurance.

The fault lies partly with browsers too. Firefox, particularly, should never have toned-down the non-EV SSL user-interface --- sure, making EV special is fine, but allowing sites to spoof the SSL UI with a favicon is unacceptable. People have been saying this ever since Firefox 3 came out, but maybe now someone will pay attention to us.

HTTPS puts a blue background behind the favicon and the padlock and certificate domain in the status bar. What kind of favicon can ever spoof the entire blue background. More importantly, what favicon can ever spoof the status bar section?

Re:Security is a social issue. Educate!

[QuoteMstr]

He also mentions methods for using IDN (Internation Domain Names) and wildcard SSL certificates to spoof HTTPS versions that look even more like the real thing than

This problem is easy to solve technically with an IDN character blacklist. The https-to-http redirection is far more insidious.

HTTPS puts a blue background behind the favicon and the padlock and certificate domain in the status bar. What kind of favicon can ever spoof the entire blue background. More importantly, what favicon can ever spoof the status bar section?

You and I know to look for these signals, but most users don't. They'll see the padlock and think they're good to go. We need to train them to look for obvious unspoofable signals that are common across browsers, like the green background under the address bar of an EV site.

If we tell a bunch of high school students, "don't enter your credit card information into any website unless you see a padlock icon on the status bar and a blue background on the icon next to the address bar", what they'll get out of it (if they're listening at all) is "mumble mumble look for the padlock mumble mumble." We need to make security blindingly obvious!

I'd like to see that as well, but for that to happen you need to provide a way for low risk and not for profit sites to get certificates that are accepted by browsers but without the fees.

I think the EV model here is useful. Create a new CA that's specifically marked as being free and make browsers display a different UI for a site encrypted by a certificate originating with this free CA --- say, an orange address bar. Making the free-encrypted UI different will encourage users to not treat self-signed sites as being as secure as CA-verified ones, and won't diminish the value of a CA-verified certificate. It'll also train users to understand different degrees of security.

Re:Security is a social issue. Educate!

[Culture20]

HTTPS puts a blue background behind the favicon and the padlock and certificate domain in the status bar. What kind of favicon can ever spoof the entire blue background. More importantly, what favicon can ever spoof the status bar section?

Why can't a favicon start with a blue background? Can't a favicon from the target site get a new blue background dynamically easily? Who pays attention to the status bar? What about TFA's assertion of being able to use

https://login.paypal.com|login.php?oEEnt39ju4wHEhehw&=$*Y$JJSFJIsEE36879899696969696933...200morecharacters.fakedomain.ru

with a real SSL cert for fakedomain.ru? Note, apparently | can be a character that is not | or / but shows up just like /

Re:Security is a social issue. Educate!

>I'd like to see fewer people using self-signed certificates that train users to ignore SSL warnings.

Better yet, make the browser handle self-signed certs better than 'oh its not signed by verisign, thus its evil'... On FF3 if I go on a website that's using a self-signed cert, it won't let me use that website until I click through three to five different security warnings all of which begging and pleading for me to not accept the cert. In reality, of course, not everything is sensitive enough that it needs a verisign EV cert; If I'm logging into a message board I don't require the same security than if I'm logging into a bank or PayPal account. It should just let me through, say it's using a self-signed cert, and warn me again if the cert changes. On the flipside, it should be throwing up the big warnings for completely unencrypted connections, ESPECIALLY if it's from a site that uses verisign EV certs.

Re:Security is a social issue. Educate!

[QuoteMstr]

It should just let me through, say it's using a self-signed cert, and warn me again if the cert changes

One problem with this approach is that it's impossible to revoke a self-signed certificate if it's compromised. Another is that users will always see the OH-MY-GOD-THE-CERT-CHANGED warning every time the certificate expires, or when the site moves to a conventional CA-signed certificate.

A better option that still gives you want you want is a special free CA that the browser recognizes and that will give the user a different, low-security-indicated UI indicator. This solution still gives you most of what you want and is much more secure for everyone involved.

Re:Security is a social issue. Educate!

No, the solution to to encrypt everything on the Internet. Everything should be SSL across the board.

There could also be a central authority of some sort that can issue low-cost or free trusted and untrusted certs. Although that does get kind of complicated.

Re:Security is a social issue. Educate!

[QuoteMstr]

No, the solution to to encrypt everything on the Internet. Everything should be SSL across the board.

That'd be nice, but it's not going to happen soon, and for plenty of different reasons. We need to focus on solutions that are feasible now, not pie-in-the-sky ideas that will only be implemented after even more massive damage is done.

Re:Security is a social issue. Educate!

[QuoteMstr]

They handing out mod point to everyone these days or what?

No, they must be handling out mod points to people who have a fucking clue how SSL works. SSL is designed specifically to counter your simplistic scenario.

the mitm intercepts (and blocks) client's attempt to start an ssl session with bank, instead the mitm makes the ssl connection with the bank AND the client. Where is your https and padlock icons now?

The MITM won't be able to give the client the proper certificate for the domain name the client thinks he's connecting to. The browser will detect this mismatch and give the user a broken padlock icon and a security warning. Because we've educated the user, he'll know to look for the padlock icon, and that a broken padlock icon means "danger". Attack averted.

Re:Security is a social issue. Educate!

[thePowerOfGrayskull]

Education won't actually help. Most users do not know what a certificate is for. They have been trained to know that if a secure icon is present it's good. Many will have a basic knowledge that a secure connection is a sign that the info they send can't be eavesdropped; and maybe that it has something to do with being stored safely on the bank's (or whatever) web site.

When web browsers or people start talking about certificates, eyes glaze over. Most people don't know what a certificate is. If they get an expired warning, or get denied due to a cert being self-signed, they have no idea what that means - beyond the fact that something is preventing them from completing their transaction. At this point they get frustrated, not educated.

Now: all of this /can/ theoretically be fixed with education. But most computer users don't want to be educated. They want to go make their purchase, and be reasonably comfortable in the fact that a) their information is only seen by the people they want, and b) that nobody is going to steal it.

BUsiness and people have gone a long way to making the web accessible and friendly to non-technical people. e-commerce and banking web sites are built around analogies designed to make people think of a storefront transaction - and when you're making a transaction with a store or a bank, you know who you're working with because you went there yourself. Trying to educate people that the storefront transaction that they've long since trained to accept as the real thing, might not actually be the real thing, is a losing battle.

Phrased differently: try explaining the concept that even though someone drove to the bank, they might not be at the bank unless the teller shows them official identification. And then try explaining that even when the teller shows identification, they STILL might not be who they say, you should also call the official bank phone number and see if the teller's phone rings. But wait, even THAT isn't enough, you should contact the state licensing board to ensure that yes, they licensed THIS TELLER to handle your money.

Re:Security is a social issue. Educate!

[QuoteMstr]

Most users do not know what a certificate is for....They have been trained to know that if a secure icon is present it's good.

You're right. We can't count on users being any more than idiots. They'll just look for a secure icon. The trick is convincing them to look for the correct security icon, and to check that the address in the browser matches the site in the window.

These techniques are very simple, on par with looking both ways before crossing the street. I think almost everyone can be taught basic due diligence when it comes to security.

Re:Security is a social issue. Educate!

> The solution is user education.

The idea of user education fails miserably with the all too common problem of the Dancing Bunnies:
at the end of the day, the user still wants to see the dancing bunny, and they'll do whatever's necessary to bypass your carefully constructed barriers in order to see the bunny

Re:Security is a social issue. Educate!

[Jay+L]

We need to train users to be vigilant, because nasty people are trying to steal their information.

Why is that any more likely to work than training people not to be nasty?

Re:Security is a social issue. Educate!

[jddj]

The solution is user education.

fail.

You're dealing with average people, not bright geeks. People won't read. They don't learn, and arguably they shouldn't need to do so to use someone's web site.

People - even some knowledgeable IT folks I know - think that the "lock" icon means an entire transaction, from client to server, is secure - not just that a transaction is conducted through an encrypted pipe.

They think the lock means:

• "you have to have a password to use this site"
• "the web site is specially protected from attack"
• "nothing can see or affect what's happening on my web browser"

None of that is true about working SSL.

Just what are your plans for educating 3-400 million people out of this fog?

The "lock" icon and the marketing text about security has fostered a consistent misconception in their minds. Good luck changing it.

Re:Security is a social issue. Educate!

[QuoteMstr]

I don't think the dancing bunny problem is quite so severe when users have to enter their credit card numbers or bank account information. The media has done a good job of whipping up a frenzy about identity theft.

Re:Security is a social issue. Educate!

[stine2469]

two points to make:
1) GUID's get caught by credit card regex
2) the reason for EV certificates is that the CAs weren't making enough money.  If they had been doing their jobs, i.e. making sure that the cert application was valid, then there would be no need for EV certs.....but that would cut into their profit margin.

The solution????? I don't know, I don't write protocol specs.

Re:Security is a social issue. Educate!

[ConceptJunkie]

What I don't understand is that Firefox _used_ to change the address bar text area background color to pale yellow to indicate a secure site and it stopped doing that some time ago. I always thought that was a great feature and much more obvious than that tiny little icon on the status bar, which can be lost in the noise next to the Greasemonkey icon and the NoScript icon, etc.

Re:Security is a social issue. Educate!

Ugh! Self-signed certs are NOT the problem.
The problem is that self-signed certs serve different purposes than CA-signed certs.

But I agree with your statement about Firefox 3
handling of the situation. It's been a disaster
as far as I'm concerned. The problem is Firefox does not distinguish self-signed from CA-signed certs. Instead Firefox pops up all sorts of annoying warnings and alerts that desensitize users to the fact that something might actually be wrong. Firefox is actually training users that annoying SSL warnings popping up all the time are just part of the typical experience. Naive users are just going to react by clicking through warnings without reading them.

We are training users that SSL is annoying and broken; and they would be right, at least, from the user interface point of view.

Re:Security is a social issue. Educate!

[IBBoard]

I didn't say a favicon can't have a blue background, but it can't fill out the full favicon. In Firefox 3 there's always at least a border of blue (although it could be more to be more obvious, TBH) that the favicon can't hide or spoof.

As for the IDN issue, I covered that earlier. My comment was just in response to the GP's comment about Firefox's SSL UI being spoofable when it's only vaguely spoofable.

Re:Security is a social issue. Educate!

[IBBoard]

If we tell a bunch of high school students, "don't enter your credit card information into any website unless you see a padlock icon on the status bar and a blue background on the icon next to the address bar", what they'll get out of it (if they're listening at all) is "mumble mumble look for the padlock mumble mumble." We need to make security blindingly obvious!

The "this is secured for this domain" bit in the status bar seems fairly obvious. Yes, people won't pay attention to the full "padlock in status bar and blue background around website icon", but if you say "it's secure if it has the padlock at the bottom and it says the site you're visiting" then that's still fairly simple to catch a reasonable number of people.

Create a new CA that's specifically marked as being free and make browsers display a different UI for a site encrypted by a certificate originating with this free CA --- say, an orange address bar. Making the free-encrypted UI different will encourage users to not treat self-signed sites as being as secure as CA-verified ones, and won't diminish the value of a CA-verified certificate.

Why make the free CA ones orange but not do anything about self-signed? Free CAs aren't self-signed, and paying for a certificate doesn't guarantee the checks are any more fool-proof. The free certificates I have need you to confirm you own the domain by sending a validation email to one of three fixed 'admin' email addresses, e.g. postmaster@example.com, which is all it needs in my situation.

Having degrees of security would be good in theory, but in practice you'd get the same as you mentioned for "blah blah blah padlock blah blah" where people would go "blah blah blah not white means it's secure blah blah blah".

Re:Security is a social issue. Educate!

[QuoteMstr]

Why make the free CA ones orange but not do anything about self-signed?

Because self-signed certificates are bad for a number of reasons, including non-revokability, trivial spoofing, and expiration turnover problems. Free CAs accomplish the same goal without any of the problems. The only advantage self-signed certificates have is a base emotional appeal to decentralization.

paying for a certificate doesn't guarantee the checks are any more fool-proof

At the very least, there is a paper trail of payment. That by itself is a good thing.

Having degrees of security would be good in theory

We already have degrees of security. A three-level system is not too complex for almost everyone to understand, and the padlock icon check will be more than good enough in the vast majority of circumstances. Adding a rule stating "the color has to be yellow or green for it to be safe for credit card information" might help too.

Re:Security is a social issue. Educate!

[IBBoard]

Because self-signed certificates are bad for a number of reasons...

Your previous comment seemed to imply a new, free CA that was treated differently to normal certificates, but leaving self-signed with the current behaviour (which is to warn and then treat them as normal once accepted). Self-signed certificates aren't as secure, but they do have certain uses (mainly within a knowledgeable audience)

We already have degrees of security. A three-level system is not too complex for almost everyone to understand

Except that we have three levels already (none, Secured and EV Secured) and you're recommending at least a fourth (orange for some free CA system) and potentially a fifth (an unmentioned but required different handling of self-signed, which provide everything you need for encrypting communication but don't provide the verification of the other person)

and the padlock icon check will be more than good enough in the vast majority of circumstances./blockquote>
Except that it has already been pointed out that a padlock as a favicon will fool more people than it should, even when it appears in Firefox, which puts its padlock elsewhere.

Re:Security is a social issue. Educate!

> HTTPS puts a blue background behind the favicon and the padlock and certificate domain in the status bar.

I know this, but I still get a moment's panic every now and again because the address bar is white. SSL no longer triggers an easily noticeable change in UI because that blue square is so small. I'm also certainly not trained to look at the status bar--so little useful information was there, I turned it off and installed Fission (puts the progress bar in the address bar).

I still don't get why EV-$$L is so great, because they're still just certificates. If certs are broken, then SSL is broken no matter how carefully you issue them.

It's the worst UI change ever, and it has zero justification....

Re:Security is a social issue. Educate!

[EXrider]

I'd like to see fewer people using self-signed certificates that train users to ignore SSL warnings.

Yeah, we'll we'd all like to see Verisign and the like not charge a fucking arm and a leg for a cert used to secure a webmail server, a mythweb server, etc.

I use StartSSL, they're a pretty decent provider of free class 1 certs, and their root certs are already in every major browser except IE, and they provide a nice lil' page that you can link to, to install the root certs into IE (after clicking through like 8 IE warning dialogs, no joke). They also use RSA for the signing algorithm, not that MD5 crap

Re:Security is a social issue. Educate!

[magamiako1]

Not necessarily sir.

As was stated you can get around this by registering a domain name with international characters that appear to look like characters you would either find in a domain (or looks like the other counterpart).

Then you register that long domain with the international character and get an SSL certificate for that domain.

Viola. The end user sees the trusted padlock because it's a very valid certificate for the domain the user is visiting.

Re:Security is a social issue. Educate!

[thePowerOfGrayskull]

Before that's possible, a standard would need to emerge and be respected by all web browsers. Right now, everyone kind of does their own thing...

I think that can help; but only for a subset of situations. If the URL in the address bar appears to match the site in the window, and the little icon is present, that would be as far you can get most people to go. Which won't help the larger issue of URLs crafted to look legit when they're not (coupled with MIM 'attacks')

Re:Security is a social issue. Educate!

[John+Hasler]

No background color or rebus is going work for many (perhaps most) users. You have display NOT SECURE in large enough type that they can't miss it.

Re:Security is a social issue. Educate!

They have been trained to know that if a secure icon is present it's good.

Those users are screwed, and there is nothing you will ever be able to do (short of retraining) to unscrew them.

So why not try to solve solvable problems? Anything else is a waste of time.

Re:Security is a social issue. Educate!

[drew]

Because self-signed certificates are bad for a number of reasons

Self signed certs (or rather, something that is basically identical in practice) work well enough for SSH, so they must have some value. I don't hear any clamoring for a certification agency for SSH keys.

Re:Security is a social issue. Educate!

[IBBoard]

True, the white background to the address and blue background to the icon isn't necessarily as obvious as a yellow background to the address, but I suspect it's more obvious in greyscale/colour-blind situations (or would be if you could see more of it).

As for EV certificates, the main reasons they're useful are a) to make more profit for the CA and b) to let people know who owns the certificate in a more obvious way. That said, browsers could probably do something similar to Firefox's EV behavior with non-EV certificates to make the owner more obvious.

Re:Security is a social issue. Educate!

[IBBoard]

Self-signed is all you need if all you're trying to do is encrypt the communications. It's no use for verifying the other end unless you have some guaranteed method of sharing the certificate's checksum and confirming a match manually.

As an example, if you've got a server you use for your personal website and you put your webmail on it on HTTPS then self-signed would be fine because a) you know what the certificate should look like (you made it) and b) once you accept it, anyone who tries a MITM would trigger your browser to say the certificate was changed, which you'd know you hadn't done. It's only once you get other people using it who don't know when you change the certificate that it becomes problematic (especially when those "other people" are the general public)

Re:Security is a social issue. Educate!

If Flashblock issues a fix for this one, then those folk(s) should be millionaires.

Re:Security is a social issue. Educate!

Ah, so you've never seen a real MITM SSL attack I take it. Or you'd be aware that generating certificates on the fly is not a problem. That the only "problem" is, at most, a certificate warning (not signed by an accepted root), and that even that is unlikely these days (keep up with the times and MD5 signing certs from Verisign for example).

While SSL may have been designed specifically to counter this attack it fails to do so in the real world.

Re:Security is a social issue. Educate!

[QuoteMstr]

First of all, MD5 is going away. It's not a flaw in SSL so much as a flaw in one hash function, and even with that flaw, it takes an insane effort to generate a fraudulent SSL certificate.

And in general, yes, you get a certificate warning. That's my entire fucking point! Users must be trained to heed these warnings. It's not hard. The indicator is very simple. The only alternative is to fail hard when seeing an invalid certificate, and that's not going to happen: it'd upset too many people. It's not a flaw in SSL that users ignore it! It's like running a motherfucking red light and whining that the red light is broken.

Re:Security is a social issue. Educate!

Viola.

What do musical instruments have to do with this conversation?

Re:Security is a social issue. Educate!

[Simetrical]

The solution is user education.

The Internet is used by billions of people. How do you propose to educate all of them? Even if you could, the technology changes on a year-to-year basis. Several years ago, IDN-based attacks weren't possible. Now the major browsers support IDNs, so suddenly you have a new attack avenue opening up.

Heck, look at non-computerized stuff. Tons of security advice is given out on a continuous basis, and people routinely ignore it. Do you report all the unattended bags that you see? I don't, even though I'm told to continually by the subway loudspeakers. Security advice that's a nuisance will be ignored.

The only real, working, full solution is going to be a technical one. It may require re-architecting the web or the Internet, but the problem is not impossible to solve technically. You have to make sure that there is no possible way for the user to submit any unencrypted info or receive any unsigned response from a sensitive website, that's all.

One way to do this, for instance, would be to get rid of HTTP altogether and use only HTTPS or some variant. Difficult and expensive? Sure. Impossible? Hardly. There are probably lesser measures that would work as well.

For now, of course, user education might be a good idea. But user education is never going to solve the problem, only mitigate it.

Re:Security is a social issue. Educate!

[Simetrical]

I'd like to see that as well, but for that to happen you need to provide a way for low risk and not for profit sites to get certificates that are accepted by browsers but without the fees. I've set up my email (Webmail, IMAP and SMTP) with SSL certificates, but it took some searching to find someone who would give me a free SSL certificate and even then the issuer isn't in most browser's approved list. I'm protecting a small amount of traffic from lazy eavesdroppers, not protecting a financial institution - I don't need the expense and the insurance.

I never understood why the chain of trust isn't just the same as the chain of domain name registration. There is one trusted authority that definitely knows that I own the domain name in question: the registrar I bought it from. In turn, the registrar for the TLD definitely knows that the registrar for my domain name is legit. And ICANN knows who the TLD registrars are.

So why don't we have one root certificate -- ICANN's. ICANN can then sign all the certificates of all the registrars it knows about, and those can sign those they know about, and so on. Finally, when you buy a domain name, your registrar can sign your private keys over the same web interface you used to buy the domain.

All of this can be covered by the fees that are already charged at every step along the way. Most of the bottom-level registrars are going to charge a fee for certificates commensurate with their costs, i.e., $0, because of competition. Everyone wins except the existing entrenched root authorities. What's the downside?

Huge pet peeve

[QuoteMstr]

A site should never lead the user to type sensitive information into a form on an unencrypted page, even if the form's data goes to an encrypted location when submitted. Doing this trains users to be lazy. What's even worse is trying to alleviate users very correct fears by putting a padlock icon next to the form. That's even worse: doing that trains users to believe that a website can signal its own trustworthiness apart from the browser UI, and that could have disastrous consequences.

I have a technical solution, but it won't be popular: browsers should display a warning when submitting a form on an unencrypted page to an encrypted URL. Since web designers are afraid warnings will spook users, they'll switch to making the form-entry pages encrypted as well.

Re:Huge pet peeve

And what about servers using vhosts on a single IP?

Re:Huge pet peeve

[MBCook]

IE did that, at least back in the 6 days. I don't know if it still does.

It trained users to click "don't warn me again".

Since there was (and still is) no way to discern what is being sent (important stuff or just a Google search) that box is obnoxious and useless.

Re:Huge pet peeve

[QuoteMstr]

And what about servers using vhosts on a single IP?

More people need to use RFC3546 Server Name Indication for SSL name-based virtual hosting. All major browsers already support it; the only barrier is Apache and OpenSSL. mod_gnutls for Apache, however, works perfectly.

Even in the absence of RFC3546 support, there are several workarounds:

• Your form has to submit a single, non-virtually-hosted URL to work properly anyway. Just put the page that displays the form in this location as well.
• Use a wildcard SSL certificate
• Purchase additional SSL certificates

Frankly, if you're legitimate enough to be accepting sensitive information over SSL, you have the resources to use employ of these options.

Re:Huge pet peeve

[QuoteMstr]

IE's warning appeared on all form submissions. I agree that warning was worse than useless.

I'm talking about warning only when the following conditions apply:

1. The form being submitted is on a non-encrypted page
2. The form's action refers to a page served over HTTPS

The user should not be able to disable the warning; its existence will lead webmasters to change condition 1.

Re:Huge pet peeve

[AceJohnny]

browsers should display a warning when submitting a form on an unencrypted page to an encrypted URL.

They already do. In fact, that's the very first thing I disable on a newly-installed browser. Otherwise I get this annoying and useless dialog everytime I use Google!

Maybe you mean displaying a warning on forms that include an input type="password" field, those where characters appear as stars?

Re:Huge pet peeve

[thePowerOfGrayskull]

This would be great, except that most users don't read warnings. They click through them in whatever looks like the most likely path to allow them to finish what they started.

Re:Huge pet peeve

[QuoteMstr]

Of course users won't actually read the warning. The point is to annoy users so that webmasters eliminate the behavior causing the annoying warning.

Re:Huge pet peeve

[AnyoneEB]

Hint: Forms with password boxes contain secret information.

Of course, plenty of sites send passwords over HTTP (hopefully no banks...), so a blanket warning on passwords being sent unencrypted would just train users to ignore the warning. Furthermore, the use of passwords sent via HTTPS forms is still training users to type their passwords into phishing sites (if they manage to get to one via a typo or convincing e-mail (my credit card company includes links to their site in their e-mails, faking those e-mails with a slightly different link would be trivial)), but better auth methods are not easy to switch to.

Re:Huge pet peeve

[QuoteMstr]

Furthermore, the use of passwords sent via HTTPS forms is still training users to type their passwords into phishing sites

Hopefully, the anti-phishing features of recent browsers will reduce the danger of this attack vector.

Re:Huge pet peeve

[behindthewall]

Entirely agree. There was a nascent guideline for users: Check the "padlock". Check that the protocol is https.

Designers then started breaking this. To avoid an extra https serve, particularly on a front page or popular page. For the sake of "Design", including putting a sign in form on the front page. Etc.

At least I knew to, if at all possible, force the site to serve up an https version of the sign on page. Most users have no clue about that. And the means for accomplishing this vary. Sometimes, you can do it by replacing "http" with "https" and resubmitting. Sometimes by submitting a blank form. Sometimes you have to populate the form with garbage in order to get by initial checks; the "error" page that comes back when the garbage credentials aren't found is served as https, if you're lucky.

Users were just learning to secure their transactions, when those who presumably had interest in the users' doing so, broke the paradigm, and broke it hard.

I'm at the end of my patience with such fools, who consider themselves professionals.

I'll also mention the idiots who populate their https pages with http references to components. Once you pull in one unencrypted piece, you've opened the door to exploitation. Get a f*cking clue.

Re:Huge pet peeve

I have a technical solution, but it won't be popular: browsers should display a warning when submitting a form on an unencrypted page to an encrypted URL. Since web designers are afraid warnings will spook users, they'll switch to making the form-entry pages encrypted as well.

Using Firefox? Tools -> Options -> Security -> Warning messages -> Settings -> "Display a warning message when I submit information that is not encrypted."

If I remember correctly, it's enabled by default.

Of course, every person I know disables that warning the moment they make their first Google search and get a warning they're about to transmit unencrypted information.

Displaying a warning message every time a user performs a search is a great way to train users to click 'OK' on every security dialog as soon as it pops up.

Re:Huge pet peeve

[skeeto]

A site should never lead the user to type sensitive information into a form on an unencrypted page, even if the form's data goes to an encrypted location when submitted.

I couldn't agree more. I have seen this a number of times and it really bothered me. Every time I came across this, I would check the HTML source to be sure the "action" attribute pointed at https (or could that still bite me somehow?). I haven't seen this bad behavior in awhile, though.

Re:Huge pet peeve

[QuoteMstr]

You misunderstood my point. That's not the warning I'm talking about.

I'm talking about a far more selective warning.

Re:Huge pet peeve

[Dekortage]

Designers then started breaking this. To avoid an extra https serve, particularly on a front page or popular page. For the sake of "Design", including putting a sign in form on the front page.

Errr... you really think the DESIGNERS cared about extra HTTPS hits??? They were probably told to put the login on the home page. Then, the sysadmins balked at the idea of an increased SSL load, but still said the login could be done securely if the form action was HTTPS.

The real problem is browsers. They should have been designed so that only HTTPS forms could submit to HTTPS actions. No HTTP form should be accepted.

Re:Huge pet peeve

[AusIV]

Every time I came across this, I would check the HTML source to be sure the "action" attribute pointed at https (or could that still bite me somehow?).

According to Moxie Marlinspike, (creator of SSLStrip), some browsers will re-download the page when you click view source. It would be plausible to convert https to http for the first request only, so if the user requests the source for checking the submission form, it would say https when they checked it.

Re:Huge pet peeve

The point is also to bring many-eyeballs into play, since statistically, the more popular a site that is attacked, the more likely someone is going to notice and complain.

An attack that can be caught by even a slightly clever user with a standard browser is likely to be caught (and become useless). An attack that cannot be caught except by a user who understands TLS and uses a toolset other than a standard browser all the time, is much less likely to be caught, and much more likely to bear rewarding fruit.

openssl s_client -connect dom.ain:443 -verify 99 -cipher 'kEDH+HIGH:kEDH+MEDIUM'

is useful. You want the kEDH (ephemeral Diffie-Hellman session keys) in there because otherwise someone can just record your TLS (or SSLv3, ugh) conversation and then social engineer the master certificate from the site at some point in the future, and then readily easily trivially recover the cleartext from the recorded cryptotext. You want the -verify 99 in there to make sure the whole certificate chain is valid. It often isn't! Most TLS/SSL clients will happily connect to servers with dodgy, unverified intermediate certificates, opening an MITM attack vector.

Sadly, this sort of thing will be commonplace:

85277:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:529:

[We don't do ephemeral DH because it takes too much cpu! Or because our SSL engine can't do it! The latter is especially disappointing in sites that allow HIGH (AES256-SHA, for example, as with google -- or simple misconfiguration, as I just discovered with my imaps but not with my STARTTLS on my imap on the same machine... sigh. *shakes fist at SSL/TLS complexity*)]

Re:Huge pet peeve

[QuoteMstr]

Fascinating. Thanks -- I always supposed google's SSL configuration was top-notch, but I guess not:

danc@pluto ~]$ openssl s_client -connect www.google.com:https -verify 99 -cipher 'kEDH+HIGH:kEDH+MEDIUM' /dev/null
verify depth is 99
CONNECTED(00000003)
4869:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:578:

Re:Huge pet peeve

It turns out cyrus imap and several other implementations can't do ephemeral session keys in a thread-safe way, apparently because of some awkwardnesses interfacing with openssl 0.9.7l (and earlier). Apache manages it, however, so I think that this is overstated.

"DH:HIGH:MEDIUM" is a reasonable default ciphers list for openssl.

Apache enables all sorts of very weak encryptions, and I'm willing to bet that there are many many many sites that don't change the SSLCipherSuite to something safer. A good MITM vector is the SSL ciphers negotiation, trying to force down the amount of encryption the two communicating parties use. Some of the ciphers in EXP can be broken in real time by a well-funded attacker.

SSLCipherSuite makes a depressing google search term... lots of hits showing how to *water down* the default mod_ssl security (which is insufficiently strong to start with), lots of hits showing how to strengthen it by enumerating a small list of specific ciphers (AES-128-SHA:...) that excludes ciphers with ephemeral session keys. The latter *may* sometimes be weaker ciphertexts on their own, but stronger ciphertexts which can be recorded and attacked in the future if the master private key is acquires are weaker than those that will have to be brute forced ("perfect forward secrecy", PFS) because the particular session key was decoupled from the master private key.

PFS is simply not a big goal in people's minds, even as the computational burden falls.

Given that *every* google node that terminates SSL connections *must* have a copy of the master private key (in order for PK to work at all), and there must be windows for an attacker to recover a cleartext copy of that key in reasonable time (everything from social engineering to gaining access and probing physical memory), it is almost certainly easier (and it's clearly more attractive) to attack *all* the sessions protected by the master private key than to attack *most* of the individual sessions.

Physical access plus a cryogenic gas and insulating box -> you have all the sessions protected under the key if you can recover it.

Ex-employee -> you have all the sessions protected under the key she or he takes out the door, or the password she or he takes out the door and the encrypted master private key you already have by other means.

Master private keys that are obsoleted fairly frequently (annually) are no protection, they just close off some of the avenues of recovering the plaintext master private key.

For my sins, I decided I had to have a *plaintext* copy of my master private key *on disk* on a server because a critical service had no secure way of decrypting the encrypted version. It's protected by ACLs/permissions alone, and a clued-in attacker who gained priviliged access to the server would be able to find it relatively quickly.

However, that particular service is also doing ephemeral session keys, so recovering the plaintext master private key just opens a spoofing attack (attacker can pretend to be my server), but does not at present make it easier to recover recorded sessions that were protected by ephemeral keys. (Some clients did not do ephemeral session keys, though...)

PFS = useful.

PFS is certainly more expensive than no PFS; DH negotiation is costly for CPU and also costs possibly 2xRTT on the network.
This *was* considered hugely expensive.

Now, the impact of PFS on user experience is shorter than the authentication wait on password authentication.

PFS is probably good practice.

There's an obvious tradeoff between obsessing over PFS and deciding it's not worth it. For instance, there are lots of ex-employee attacks which are at least as attractive (walk away with the backups of all the side-effects left server-side by clients who use PFS or crypto or plaintext...).

However, given how easy it is to intercept and record traffic for long periods of time without being caught, and how cheap it is to store traffic until it becomes computat

Re:Huge pet peeve

[Simetrical]

I have a technical solution, but it won't be popular: browsers should display a warning when submitting a form on an unencrypted page to an encrypted URL. Since web designers are afraid warnings will spook users, they'll switch to making the form-entry pages encrypted as well.

Or they'll say "your web browser sucks, use a better one". And the user quite possibly will, especially if the browser to implement the feature isn't MSIE. Browsers cannot afford to annoy their users more than the competition does.

Shared private keys.

[wiredog]

Public key crypto-systems.

Not buying anything online via the web-browser.

OK, that last is crazy talk.

EV certificates

[Lieutenant_Dan]

"for more widespread EV certificate deployment"

That's probably being sold by Thawte. And considering that a lot of browsers out there still don't support EV.

Extended validation? When I pay for a digital cert, I expect a high level of validation anyways. Makes you wonder, what level of validation they've been doing for the past few years.

SSL always MITM as one of its exploits. There's a lot of network gear (e.g. Cisco's IronPort) that do just that in order to enforce security policies of an organization.

Re:EV certificates

[QuoteMstr]

SSL always MITM as one of its exploits. There's a lot of network gear (e.g. Cisco's IronPort) that do just that in order to enforce security policies of an organization.

That's still impossible unless you're okay with the client getting the wrong certificate. In a corporate environment, you can just install a CA certificate in every client and the user will be none-the-wiser. But in general, SSL is not vulnerable to undetected MITM attacks.

Re:EV certificates

[blueg3]

If you've paid for digital certificates, shouldn't you know what level of validation they've been doing?

Also, as far as I know, all modern browsers support EV certificates, but not all of them differentiate EV certs from regular ones. Firefox 3, however, does.

Re:EV certificates

[Lieutenant_Dan]

Thanks for info; that's probably exactly how it happens. In an environment with a captive audience, you issue your own cert and 99.9% of the corporate users won't even notice.

Re:EV certificates

[The+Moof]

Makes you wonder, what level of validation they've been doing for the past few years.

If the credit card making the purchase was declined or not.

I do not like the whole "EV certification" thing. Not because I dislike the process or what it's designed to do, but because CA's were already supposed to be doing the verification in the first place (apparently, they weren't). Now they want to charge more money to do what they were originally supposed to do.

Re:EV certificates

[QuoteMstr]

I do not like the whole "EV certification" thing. Not because I dislike the process or what it's designed to do, but because CA's were already supposed to be doing the verification in the first place (apparently, they weren't). Now they want to charge more money to do what they were originally supposed to do.

Like most human behavior, this problem can be explained by economics.

The problem is that the CA system creates the wrong incentives. You, as a CA, want to sell as many certificates as possible. There are almost no repercussions for issuing a fraudulent CA. In theory, browsers are supposed to remove rogue CAs from their CA lists, but in practice that doesn't happen: they're too afraid of "breaking the web" and being sued to actually punish CAs for having lax security.

Comodo, for example, delegates its CA business to fly-by-night subsidiaries who issue certificates with no verification whatsoever. This is the worst situation imaginable from a security perspective, but even after this contemptible practice was exposed, neither Microsoft nor Mozilla Corp. removed the Comodo root certificate. I've personally removed it in all the browsers I use, but most users won't do that.

Comodo's behavior is no surprise, however. For them, it makes sense from an economic point of view. Yelling and screaming will change nothing. The EV program is slightly better in that it's an industry agreement to perform better validation, but it'll inevitably succumb to the same market forces. As EV certificates become more entrenched, it'll become too difficult to punish rogue EV vendors, and we'll be in exactly the same situation we are today with standard SSL certificates.

CAs validating websites and taking payment from them creates the same perverse incentives that led credit rating agencies to contribute to the current economic crisis. You can't count on people's goodwill to make them do the right thing: if you want the right thing to happen, you need to make the right thing the easy or profitable thing.

There are a couple solutions to the incentive problem:

1. Make users pay CAs to validate websites: this puts the economic incentives in the right place, but users will resent paying for what used to be "free". Personally, though, I'd subscribe to an enhanced validation service.
2. Change CAs into non-profits: the problem with this approach is that funding would then have to come from the government or some other organization. Can you imagine "PayPal, stop accepting payments for contraceptives or we'll revoke your certificate, you liberal hippies"?

I wish I could come up with better ideas.

Re:EV certificates

[Lord+Ender]

You are wrong. It is impossible to MITM properly-implemented SSL without having access to a trusted CA.

Re:EV certificates

[Timothy+Brownawell]

There are a couple solutions to the incentive problem:

1. Make users pay CAs to validate websites: this puts the economic incentives in the right place, but users will resent paying for what used to be "free". Personally, though, I'd subscribe to an enhanced validation service.
2. Change CAs into non-profits: the problem with this approach is that funding would then have to come from the government or some other organization. Can you imagine "PayPal, stop accepting payments for contraceptives or we'll revoke your certificate, you liberal hippies"?

I wish I could come up with better ideas.

Having a CA funded by anyone but the website also doesn't work, since the site needs to get a certificate from the CA before going live. And unless it's ICANN running the CA, a site might need to get certs from multiple CAs if people in different countries or with different browsers want to talk to them.

Hmm, there's a thought. Self-signed certs, with the root cert fingerprint available as a DNS record, using DNSSEC. Then get the real-world identity info from 'whois'.

Or use something based on "can't fool all of the people all of the time" like Perspectives (see sig), where instead of having a CA that gives the site owner a certificate, there are a bunch of public servers that you ask whether they see the same key you see for whatever site you're going to.

Re:EV certificates

[QuoteMstr]

Having a CA funded by anyone but the website also doesn't work, since the site needs to get a certificate from the CA before going live.

I don't see why a site requesting a CA needs to be live. Consider FooCA, a for-pay CA that users subscribe to, or that ISPs subscribe to on behalf of their users. (There are other models --- this is just an example). If BarInc wants a certificate from FooCA, BarInc just applies to FooCA as soon as BarInc incorporates and obtains BarInc.com. Why would BarInc.com need to be live at this point?

Hmm, there's a thought. Self-signed certs, with the root cert fingerprint available as a DNS record, using DNSSEC. Then get the real-world identity info from 'whois'.

That's a thought. But first we need DNSSEC, which would make me a happy man in any case. :-)

Or use something based on "can't fool all of the people all of the time" like Perspectives

That solves some problems, but I'd rather have a robust CA system so that nobody has to be in that group of fooled people. Perspectives also adds significant latency to the connection and has other technical problems, but combined with other security measures, I don't see it as being all bad.

Re:EV certificates

[LanMan04]

That's probably being sold by Thawte. And considering that a lot of browsers out there still don't support EV.

IE7 does
Firefox 3 does
Safari does

So what browsers don't that people actually use? No, Opera doesn't count. :)

Re:EV certificates

[Timothy+Brownawell]

Having a CA funded by anyone but the website also doesn't work, since the site needs to get a certificate from the CA before going live.

I don't see why a site requesting a CA needs to be live. Consider FooCA, a for-pay CA that users subscribe to, or that ISPs subscribe to on behalf of their users. (There are other models --- this is just an example). If BarInc wants a certificate from FooCA, BarInc just applies to FooCA as soon as BarInc incorporates and obtains BarInc.com. Why would BarInc.com need to be live at this point?

If FooCA just gives BarInc a cert, how do they extract any sort of payment from the visitors? Once the cert is in the wild, anyone can use it to verify BarInc.com. So FooCA would have to not provide it to anyone until asked (and paid) by one of their customers.

The CA is only involved in issuing the certificate, nobody talks to them per site visit. Having the visitors instead of site owner pay the CA would require changing this, which doesn't seem feasible.

I'd rather have a robust CA system so that nobody has to be in that group of fooled people

It shouldn't be the users getting fooled, just some of the perspectives servers. And since only some of them are fooled, when the user asks all of them they'll get different answers and know that something's up.

I actually think the CA system is much more fragile, since you only have to fool one person once to get an evil cert you can screw anyone with.

Perspectives also adds significant latency to the connection and has other technical problems

It will add latency, but that can probably be limited to the first connection with a scheme like how SSH remembers certs. It also probably has scalability issues and would have privacy issues if anything was ever logged (but not much worse than if say the .com nameservers started logging requests). What other problems do you see?

Re:EV certificates

[Sloppy]

In theory, browsers are supposed to remove rogue CAs from their CA lists, but in practice that doesn't happen: they're too afraid of "breaking the web" and being sued to actually punish CAs for having lax security.

That's because each identity only has one signer. It's easy to "break the web" when we design it to be so fragile.

If there were multiple signers per id, then when the browser lowers its trust in Comodo (perhaps all the way down to zero), identities certified by Comodo just lose some trust. Your web store, which was certified by Comodo, and certified by Thawte (and perhaps some other people), has its identity become less trusted, instead of untrusted. The web isn't "broken"; the web just temporarily gets a little more "iffy" (it becomes nearly as broken, although not quite as broken, as the web we all know today) until you get around to replacing Comodo with someone who does their job right.

Re:EV certificates

[sowth]

Depends upon how the site is used.

Perhaps sites taking credit cards should have their keys signed by credit card issuers. I would have more confidence if at Visa or Mastercard or American Express indicated the site is valid and may be trusted. Though I also think we should be using cryptography or at least have limited throw away accounts for transactions, so you don't risk losing your entire bank account or balance limit to fraud.

I do not understand since financial institutions are the major reasons to use SSL certificates, why they don't print their SHA fingerprints on every statement. If I had their fingerprint on my bank's or credit card's statement, then I could easily see if someone is spoofing their site.

The only thing is how much effort you have to go to find the fingerprint. To see the fingerprint in Firefox, you have to click on the lock, select view certificate, then find the fingerprint among twenty or so lines of hex and crap. Not nearly as bad as it used to be, as I remember, you had to click through a huge tree to find what you wanted.

I like how they decided to print the domain name next to the lock. Maybe they should do something similar with the SHA fingerprint too.

As for just private browsing, you may not need a CA at all. I think most forms of snooping governments and other bulk privacy invaders use are passive, so just having a site encrypted is enough. ...unless you think you are targeted for investigation. Though the ssh method of warning when keys change can help protect with this. I am not sure CAs can protect you from active government investigations at any rate. I'm sure they obey any court order such as a wiretapping warrant anyway.

Re:EV certificates

[Simetrical]

There are a couple solutions to the incentive problem:

1. Make users pay CAs to validate websites: this puts the economic incentives in the right place, but users will resent paying for what used to be "free". Personally, though, I'd subscribe to an enhanced validation service.
2. Change CAs into non-profits: the problem with this approach is that funding would then have to come from the government or some other organization. Can you imagine "PayPal, stop accepting payments for contraceptives or we'll revoke your certificate, you liberal hippies"?

I wish I could come up with better ideas.

Why don't you have the site's key certified by the registrar where it registered its domain name? They don't have to do any validation at all: they know you're the one who owns the domain, because they just sold it to you! If someone can get access to the registrar's web interface for controlling your domain names, they can point them to other servers anyway, so any further validation is superfluous.

The registrar is in a uniquely good position to validate your identity. They can do it for free, in fact. And there are no perverse incentives here: if they allow someone else to get a certificate for your domain, you're going to rightfully be extremely ticked off at them, and may move to another registrar.

As a final bonus, since validating your identity would be free, competition would likely force many big-name registrars to give away basic certificates for free. Then every site can use SSL, not just the ones that can afford certificate costs, resulting in a more secure web.

Putting the public key (no certificate required at all) in a DNSSEC entry would also be a good solution. Again, zero extra validation required, and no extra cost.

Hype

[TheRealJobe]

Please don't get me wrong, this will make a nice addition to a toolbox. However, the hype I have seen tied to this tool is overwhelming. It seems like conferences have become more reliant on over-hyping items like these to promote the conference name more than anything else.

SSL Strip = Porn?

[drewzhrodague]

Is this porn for the security researcher? I guess I should RTFA.

Re:SSL Strip = Porn?

[Zwicky]

Hm, the article and summary both list it as SSLStrip but the only software I can find on the site is SSLSniff, which appears to be it? Maybe it was renamed because the link as given in the summary redirects to the main page.

Re:SSL Strip = Porn?

No, look at the source code of the page. He commented it out, probably due to bandwidth issues.

Posting anon to not screw up moderation.

So is redirecting to https

[xaositects]

prior to them inserting login information safe? For instance, for the business application I develop, I check to see if the user accessed the login page via ssl, and if not, I user header('Location https://blah/ to get them to the ssl login page. To me that should be good, but the site above seems to indicate even that is not safe since a person could spoof the cert as soon as the site is accessed. Or perhaps I'm not quite understanding it clearly.

Re:So is redirecting to https

[QuoteMstr]

There is nothing you, as a web application developer, can do to mitigate this problem other than educating users and busting the IT department's balls to get them to improve real network security.

(Well, you could use clever Javascript to try to heuristically detect funny business in the page location, but if you're important enough, an attacker will just the detection Javascript when proxying your site.)

Re:So is redirecting to https

[Chuck+Chunder]

Does the "business application" you develop require a non http page? If it's one used by the general public then probably but if it's not (ie it's used internally or by a specific set of customers who can be supported) then consider only running an https service (no http).

That way users won't have an http bookmark or history/autocomplete entry that an attacker can begin the spoof from. Existing users will come straight into the https site because that's all there has been.

New users (and others who might incorrectly type in an http address) could still be hit by the attack but a large proportion of your users would be safe from exposure.

For a site that needs to be accessible to the general public perhaps a redirect-permanent to https on any hit to the http site might have a similar positive effect on bookmarks (and maybe history/autocomplete entries though that would depend on the browser).

The only way to limit exposure to this attack is to have your users hitting the https site directly.

Your SSL check just before login doesn't help because the http connection you are issuing the redirect over isn't secure and the attacker can manipulate it.

Re:So is redirecting to https

[jonwil]

If you are a web application developer, start by making 100% of your pages HTTPS. There is no valid reason to have, say, a web form on HTTP and the submit location HTTPS.

Re:So is redirecting to https

[emlyncorrin]

but if you're important enough, an attacker will just the detection Javascript when proxying your site.)

I think you just a word.

EPA Crackdown: No More IP Over Open Air

[WED+Fan]

UPI - Crow Agency, WYOMING - The Federal Environmental Protection Agency has issued a crackdown order on a traditional method of communication and possible free public access to the Internet. The method utilizes traditional Native American techniques with a modern twist. Computer signals called packets are translated into smoke signals and released into the atmosphere. The first message sent using this technique contained the message, "The casino is now open. $3 Black Jack and Texas Hold 'em. Smokey Robinson for 3 nights starting next full moon."

EPA spokesman Harvy Jamal Foshizelmeyer explained the crackdown, "This is hardly a carbon neutral means of communication."...

SSLStrip redirects to index now

[exloterum]

It's completely different. He's had SSLSniff listed on there for awhile now. All requests made to SSLStrip now redirects to the index page. Maybe he doesn't want to exceed his bandwidth?

Re:SSLStrip redirects to index now

[Zwicky]

OK good answer.

Thanks; my mistake. :)

Re:SSLStrip redirects to index now

He says that he hadn't published the link yet, someone just figured out what it was going to be and slashdotted it. =(

An anarchist resource since 2004?

[edgewedge]

Holy crap, looking at the source to sslstrip, this was written in 2004! I wonder if the anarchist underground hacking scene has had access to this for all that time? Why release it now I wonder?

Bank of America is partway there

[uberhobo_one]

For a time, Bank of America's main page was http://, even though you entered your account information into a secure form. Some people raised a stink and they changed it. Before that occurred, I decided to use one of NoScript's features to force the entire domain bankofamerica.com to use https://.

For a while it worked great until a few months later when I signed up for another service on their website that monitored your credit report activity. For about a week, every time I clicked on the link to take me to the login page for that service, I would get a page that told me the link was broken. After calling customer support a few times to see if the site was functional, I realized that the redirect script/server didn't support https, and that I was getting a dead redirect as a result.

I think forcing https on domains is a good idea, but it can be easily undermined by one link in the chain not playing nice.

VeriSign Warranty Plan

VeriSign provides Warranty Protection to consumers to reimburse them for exposure to these types of risks. It can be found here http://www.verisign.com/repository/netsure/netsure2.html

Re:VeriSign Warranty Plan

[sumnerp]

Have you read this? It only covers people who have a Verisign issued certificate, and only against Verisign's errors, issuing a faulty certificate, incorrectly revoking a certificate or exposing Verisign's private keys. Don't see anywhere, that it would cover a consumer (or even a certificate owner) against a MITM attack like this.

But half of American banks forced HTTP login

[George_Ou]

But half of American banks forced HTTP login http://blogs.zdnet.com/Ou/?p=201. Then there's the fact that people never manually type in HTTPS and they rely on an auto redirect, but the redirect could be intercepted and changed to HTTP. The solution requires a modification of web browsers and DNS to automatically enforce HTTP policy because people will ignore HTTP 100 out of 100 times and they will ignore fake certificate warnings 199 out of 200 times. EV is not the solution to this problem because it still relies on the human to make the decision on security.

See http://www.circleid.com/posts/20090219_https_web_hijacking/

The real problem.

[TheLink]

The real problem is the browser makers do not care about security. They only care about the appearance of security.

For example, browsers don't do the SSH style thing where they warn you if the cert changes for a previously recognized site.

Go look at all the built-in CA certs in your browser sometime. Count them if you can.

How sure are you that none of the CAs there won't be tricked/bribed into signing a cert for *.mybank.com ? Who has audited them?

All it takes is just one CA, and AFAIK, none of the popular browsers will warn you that the cert for mybank.com has changed.

In fact, you might be safer if you removed all the CA certs from your browser, and just got your browser to recognize certs from the few https sites that you actually use, on a per cert basis rather than per CA basis.

Then when someone tries to trick you to going to https://www.mybank.com|.cgi-bin.co/ you will get a prompt for the https cert, and then you might notice something strange going on...

Which do you think is a bigger threat to your security? Your bank server using the same ssl cert for years, or someone pulling a cert swap or MITM or XSS trick on you?

But guess what, your bank probably has to renew their cert every year or so and pay $$$ to do so. Is that really for security reasons? Maybe for the CA's financial security, but I doubt it's for yours or the bank's.

The browser makers fill their browsers with certs from dozens of companies. They don't blacklist companies that have been known to screw up and do dubious stuff (like issuing Microsoft certs to people who aren't microsoft, and do naughty DNS stuff).

It's all just a show to make the sheep feel safe.

Re:The real problem.

[QuoteMstr]

It's all just a show to make the sheep feel safe.

The problems you identify with the CA infrastructure are real, but switching to an SSL-style OH-MY-GOD-THE-CERT-CHANGED system introduced vulnerabilities to several different attacks, desensitizes users to security problems, and cannot provide assurance of identity --- only that the site is the same one that you spoke to last time.

Closing your eyes, plugging your ears, and singing "la la la ssh la la la self-signed la la la" won't solve a single thing when someone uses a MITM attack to intercept the first connection to a site.

We can better address the CA problems by making incentives line up in the correct way. Change the system so that the CAs have a financial incentive to not issue fraudulent certificates --- either regulate them, allow regular users to subscribe to a CA verification service, or require that more than one CA sign a particular certificate.

Re:The real problem.

[Vellmont]

The real problem is the browser makers do not care about security. They only care about the appearance of security.

I largely agree. If I had a "secure" browser to use, I'd use it to do all my banking with. Online purchases I don't so much care about as the CC company is really the one taking all the risks.

Re:The real problem.

[WhiplashII]

The problem with your proposal is that sites must change certificates once every few years. So now, every three years the certs change and your browser complains. Say you visit 36 ssl sites. That means that you will have a ssl-alert about once a month - you will just click through, and not check.

In addition to that, this attack, for example, would bypass that! You visit www.mybank.com - all is good, no ssl. You are then redirected to secure.theevilbank.com - again, all is good because secure.theevilbank.com's certificate hasn't changed! The browser can't know that you "meant" secure.mybank.com - it only knows that you submitted a form to "secure.theevilbank.com".

Re:The real problem.

[TheLink]

0) I don't have 36 online banks. And see 2)

1) If the browser makers actually bothered about security, things could be much better than just the simple stuff I mentioned as an example. They could warn if the cert is changing rather early - without there being a revocation. They could warn that the new cert's CA has changed from the old one. But no they don't do any of that. There's plenty they could do, but it's a waste of time. I've already suggested other security improvements to Mozilla/Netscape and the W3M before and they're either not interested or "code it yourself".

Nobody really cares about security, not the users, not the browser people, nor the website (otherwise most banks would tell users to use https://mybank.com/ and not http://mybank.com/ as a starting point).

2) For the users who care: since nobody is doing 1), if you only care a lot about a few SSL sites, you can use a different browser or browser profile, delete/disable most of the CA certs, if not all. Then visiting https://secure.theevilbank.com/ would pop up a warning whereas visiting the secure site would be fine.

When the bank really has to change the cert they could announce it, or if the warning pops up, you don't log in and you do more extensive checking (get independent confirmation of the new cert fingerprints).

3) Also tell me how much less secure stuff would be if certs didn't expire so often? You could still revoke them when necessary. So why should certs be expiring so often?

Basically the CA system as implemented is not about security, it's about a way to collect toll in the internet.

It's all about "Pay me if you don't want users to get warnings when they visit your website".

Go count how many CAs you have in your browser. Would people delete all of those you don't/can't trust? Can you really trust Verisign? Go look at their track record.

Does the browser make it easy to manage them? Firefox doesn't even make it easy for you to tell whether a CA's cert has been deleted/disabled - try deleting a CA cert from firefox, reopen the relevant UI window and then tell me how do you find out if an update has reenabled CA certs that you have disabled without you having to re-editing each and every single CA cert one by one to look at the checkboxes?

Re:The real problem.

[ultranova]

We can better address the CA problems by making incentives line up in the correct way. Change the system so that the CAs have a financial incentive to not issue fraudulent certificates --- either regulate them, allow regular users to subscribe to a CA verification service, or require that more than one CA sign a particular certificate.

A CA is supposed to prove that the server your browser is talking with is the real owner of some domain. There is exactly one entity which can authoritatively state that: the DNS registry.

Pair every domain with a certificate, with the chain of proof of identity expanding up to the root DNS servers. Issue these certificates automatically with the domain, without any external CA's having any say in the matter. That way the problem goes away.

If you want, you can still have an external trustworthy CA - meaning they actually check from official sources - proving that some address belongs to, say, a bank; and the browser can show a more impressive padlock for sites showing that certificate in addition to the normal DNS one. However, the current system simply doesn't work, except to enrich parasites.

Re:The real problem.

[DiegoBravo]

Agreed. I think the https as currently implemented is a dead end.

Maybe what's needed is some sort of httpss:// (double s) and do a new agreement with browser developers that for that case the valid and trusted certs are really mandatory and can't be bypassed by whatever browser configuration. At the same time, promote on banks and every security-concerned institution for only allowing such httpss. It would be reasonable to have a "Secure IE", "Secure Firefox", etc. that only use that SSL enabled version.

Has SSL ever actually worked properly ?

[billcopc]

I'm going to stick my neck out and say that SSL is a false security. Any twit with $29.95 can buy an SSL cert. The mere fact that a page is encrypted via SSL seems to convince people that they are dealing with a reputable site.

I'm much less worried about packet sniffing, and more about fake sites like I see every day in the steady flow of spam. There are many ways to steal someone's private data, all much easier than being on the right network, at the right time, sifting through gbits/sec of garbage for a vulnerable SSL connection.

Say you have an account at the First Bank of Fnarg, and the real web site is "www.firstbankoffnarg.com", what's to prevent an amateur from setting up "www.firstbankofnarg.com", copying the templates, and buying an SSL cert from any registrar ? Send out a legit-looking email with the link, a this will fool a staggering number of people.

It doesn't matter how often you tell them "Don't click on email links", people will do it anyway. They do it because they are lazy, inattentive and hurried. There is no technological cure against human nature.

Re:Has SSL ever actually worked properly ?

[QuoteMstr]

I'm going to stick my neck out and say that SSL is a false security....I'm much less worried about packet sniffing, and more about fake sites

SSL works very well for the kind of attacks it was designed to counter. We need other mechanisms to protect against others. Why would you expect one technique to cover all vulnerabilities?

Major browsers already include anti-phishing features that check blacklists. These blacklists will reduce, but not completely eliminate, the fraud caused by phishing schemes. A few people will always fall prey to them, but through education and centrally-managed blacklists, we can hopefully reduce the number far enough that phishing becomes more trouble than it's worth.

Re:Has SSL ever actually worked properly ?

[flyingfsck]

Geez, $29.99? Where do you buy your certs? You are getting ripped off. Last one I bought was $9.99.

Moxie Marlinspike

Funny, I went to high school with this guy, and he made a small cameo appearance in a dream I had last night, for no apparent reason. I remember visiting http://room101.thoughtcrime.org/ back in the early days -- '95 or so.

Mitigation

[Giorgio+Maone]

http://hackademix.net/2009/02/19/more-https-troubles/

Use https bookmarks

[agw]

As far as I understand the subject, using https bookmarks would be sufficient.
That's what I use for any serious https site, like banking.
I bookmark the https login page and only use this.
That of course makes my bookmarks the next point of attack.

Firefox Helpies

[cakefragment]

about:config

browser.identity.ssl_domain_display

Set it to 2 to see the Common Name of the cert in the address bar. Very helpful to see side-by-side with the URL. EV certs will still show the Organization and Country, but it makes non-EV certs a little more obvious.

Re:Firefox Helpies

[Cruicky]

What an incredibly useful option, thanks!

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

This is news?

[archen]

I'm not exactly a security expert, but how is this different from regular HTTPS hijacking? Specifically this seems to be the same as what I read in the dsniff FAQ years ago. It was written in 2001. I'm apparently missing something.

Browser for banking

[TheLink]

You can use a separate browser to do your banking with more secure settings, so even if it is not really more secure software-wise, it can be more secure in configuration. I do that actually.

If you're using windows use "run as".

e.g.
Say you have an account called vellmont.
Create an account called _www_vellmont and make its home directory fully accessible by your vellmont account.
Then in your vellmont account, create a shortcut:

C:\WINDOWS\system32\runas.exe /profile /user:COMPUTERNAME\_www_vellmont "C:\Program Files\Internet Explorer\IEXPLORE.EXE"

After that you can lock it down a bit more, so that only the bank site works and nasties on other sites might not work - if you are using IE on windows you can put all sites except the bank site on "High Security" settings - so that javascript, downloads etc are disabled on nonbank sites. Unfortunately I don't think you can have separate CA certs on a per user account basis on IE.

Not sure if you can do that for firefox either, but the trouble with firefox is it's hard to run multiple instances of firefox on windows at the same time - even with the "run as" stuff.

If you could change the theme used by that browser so you can tell the difference between the bank browser windows and the other windows that would help.

Re:Browser for banking

[QuoteMstr]

Start->Run firefox -ProfileManager -no-remote

Create a profile called, say, 'bank'.

Then run
Start->Run firefox -Pbank -no-remote

Re:Browser for banking

[TheLink]

Thanks. Didn't know about the -no-remote option.

How'd you do the equivalent of IE's security zones?

Would be nice also if one could turn off images, javascript and stuff for non desired sites.

I suppose some messing about with noscript could do the javascript stuff.

Re:Browser for banking

[jonadab]

> but the trouble with firefox is it's hard to run multiple instances of
> firefox on windows at the same time - even with the "run as" stuff.

You know, I've never tried that on Windows. I've had different *versions* installed, which is much easier with Firefox than with IE, but I've never tried to run multiple instances at once (on Windows, that is; I've done it on other OSes, usually in a separate GUI session, e.g., via gdmflexiserver).

Out of curiousity, what problems do you run into when you try it with Run As?

So what's new?

[wakked1]

This is not a new threat or attack. Its been well known for years (http://blogs.adobe.com/stateofsecurity/2007/11/dont_be_ssly.html for xample). Hence proposals like ForceHTTPS (https://crypto.stanford.edu/forcehttps/) or some sort of DNSSEC related solution.

SSL/TLS Client Certificates

[Cruicky]

It is worth noting that sites that use client certificates are not affected by this, as SSLStrip cannot sign the CertificateVerify TLS message due to it not having a client certificate that would be accepted (you hope), therefore the exchange between SSLStrip and the real site would fail.

Granted you can still downgrade the session to HTTP (if you start from a HTTP site), present a fake site, and possibly obtain a password or other form of authentication token, but a valid client certificate would still be required for the authentication tokens to be of any use (assuming this is the only site where said authentication tokens get used).

Faking the real site would be difficult though, as you wouldn't be able to see it as the web server would never serve it to you as you don't have a valid client certificate to view the page.

http://www.sixt.de

www.sixt.de uses http to display the login page but supposedly transfers your login information via https. I never actually checked this, but just assumed they know what they are doing. Now I am no longer sure...

MITM The real problem/solution?

[Reapy]

I am pretty ignorant of what goes on in the security world and things along the nature of vpn, certificates, etc etc, so perhaps this is over my head.

Its funny, I guess I would consider myself a somewhat saavy user, but really, I have never understood certificates, or found a place to explain how they worked. Watching the presentation linked above, makes me even more doubtful of them. I guess ultimately I feel that I can't really trust anything that comes at me over the internet. I don't spend any time knowing where my network traffic goes once it enters my comcast network. I don't know the "usual" hops it should be taking. It's gone once it comes out.

So I guess being ignorant of their workings, has always led me to believe that, if a computer is sitting between me and my destination, it can do whatever it wants to that traffic, including sending me a 'certificate'.

Ultimately it's all bits right? Just 1's and 0's. It's all sitting there in an ip packet, waiting to be pulled out. Encrypted or not, its still voltage on the line, or light, or whatever. What makes this set of data coming down more "real" then that set of data?

I guess if I knew more, I could answer that with question by saying things like HTTPS , SSL, public/private key, VPN, or whatever other technologies exist out there. But I guess in my head I know that ultimately, they are bits, and you'll never really know where its going from. Just kinda cast the die out there if I use say online banking, and see what happens, and just trust that if I see that my bank account is going haywire, I can call the company and fix it.

But this whole SSL attack seems based on the fact that via arp poisoning or whatever, it is trivial to plug into a network in which you understand the routing protocols, send out some stuff, and start parsing traffic.

That is really where the security work should go, but again, ultimately, there probably isn't a good working solution there, and like anything, would be an arms race again.

Anyway, pretty interesting presentation and vulnerability demonstration.

Just D/L and watch the Moxie's talk and interview.

[The+Dark+Tangent]

A lot of people are speculating what it all means.

How about just watching the talk and deciding for yourself?

https://media.blackhat.com/bh-dc-09/video/Marlinspike/blackhat-dc-09-marlinspike-slide.mov

Interview:
https://media.blackhat.com/bh-dc-09/blackhat-dc-09-marlinspike-interview.m4v

dnssec does not exist

[anton_kg]

Just read wiki and the following paper (2002): http://cr.yp.to/djbdns/forgery.html
Two most secure implementations of DNS servers Djbdns and MaraDNS are not even bother to implement this until they see (1) a stable, sensible DNSSEC protocol and (2) a detailed, concrete, credible plan for central DNSSEC deployment.

SSL exploits always disappoint

Every time I read about a new SSL exploit I always come away with a sense of 'duh' and a deep feeling of disappointment because the expliots are always just obvious social engineering experiments that require zero crypto knowledge and zero creativity to implement.

Running a proxy, changing URLs adding fake padlocks...etc.etc are all obvious attack vectors that really work for most users. End user gullability is the central reason we have spam and botnets.

Yes security concious institutions stab themselves in the heart by inventing cute padlocks and proclaiming security when their reassurances are in fact a dangerous diversion from the only things the user should actually be focusing on to ensure their security online.

Summarizing the BlackHat talk...

[patniemeyer]

The attacks that he presented in the talk boil down to the following:

0) There used to be an egregious bug in certificate verification that blew up everything (you could create certs for whatever you want). That's been fixed in most cases and so he moves on.

1) For everything that follows you need to get into a position to do a MITM (man in the middle) attack. He claims that this is really easy via ARP spoofing, etc.

2) You exploit the fact that most secure sites either redirect from unsecure (http) servers or blatantly start from an unsecure page and post login over https from there. Since you are a MITM you just rewrite the pages to strip out the https.

Most of his talk is about #2, which I agree is serious, but basically obvious stuff stemming from being a MITM.

3) He discusses ways to make #2 appear more secure to the user by:

a) putting up fake lock icons on the page
b) using international domain name lookalikes to put up your own https secured fake sites
c) using a nasty IDN lookalike for https:/// that lets you shove the true domain name off the address bar.

Point a is blah.

Point b seems to have been taken care of to some extent in Firefox by not displaying international character sets for some domains like .com.

Point c looks *really* nasty but seems to have obvious fixes in the browser. i.e. stop displaying things that look like http(s):// as part of a subdomain.

People asked many questions at the end: About half just missed the point that you're a MITM and can rewrite anything the site puts in the page. The other half wanted new kinds of auth mechanisms supported either by DNS or the sites. The speaker points out that as long as not all sites implement the new features client browsers can't rely on them and can't even "test" for them properly because of DOS attacks.

Basically it sounds like the only solution is browser side list of sites that you should only hit via https.

SSL MITM

[John+Sokol]

I remember getting flamed something terrible when SSL was first announced and I said at that time there was no way to stop a Man In the Middle Attack.

All sorts of irrelevant counter arguments were made at that time too.

Certificate and DNSSEC are also useless.

Why, because if your using your PC from 1 ISP or your employers fire walled Intranet, then from the time you install a browser on your PC there, nothing can be trusted.

Certificates and DNSSEC would also come from MITM servers.
There firewall could send you bogus certs and then give you valid connections as if they were the real web site. In turn there fire wall could unwrap your encrypted traffic, then repack it in to the real cert for connection to the SSL'ed web site.

Unless you are going to manually install your keys that you brought from a second clean source there is nothing your going to be to be able to even tell that you've been compromised.

So SSL's largest problem is when your sitting at your office in your big corporate job, and it's got the SSL lock, your lulled in to a false sense of security!

I worked for a German Multinational. All net traffic from my US office went through Germany to get on to the net.
I'd find it impossible to believe that if they had wanted to, that they couldn't do a very complete MITM attack.

My solution was to do SSH over SSL, where I'd bring my own SSH keys in on USB Stick.
then I could run X over that SSL to a Firefox running on my own Personal CoLo running Linux.

I could also have done a VPN over SSH over SSL.
Nice thing about these are canned large corporate attacks wouldn't be geared to deal with it.

Problem is everyone arguing about security it thinking hackers and not corporate spying of employees or government spying of foreigners or it's citizens.

I just remember that German Citizen while in the USA had to be given special internet and phone because under German law they weren't allowed to be monitored and because it was a German company they had to be given the same rights as if they were in Germany.

So I'd say it was safe to assume, I wasn't given that special privilege of not being monitored.

On the subject of recorded IP traffic logs, if it's an after some incident, they can put lots of time and money into cracking your encrypted traffic. Some of these Intellectual property law suites can go on for 10 years. You are a fool to think that they wouldn't crack your keys and see everything that you ever viewed over the web while at work.

It's for this reason why I love one time pads, it's a real loss that security people keep dismissing them.

for some interesting reading:
http://iang.org/ssl/
https://www.financialcryptography.com/

Download from here, too

[kernel.package]

http://hackaday.com/2009/02/23/sslstrip-hijacking-ssl-in-network/