Slashdot Mirror

← Back to Stories (view on slashdot.org)

SSLStrip Now In the Wild

Posted by CmdrTaco on from the not-the-marisa-tomei-kind dept.

An anonymous reader writes "Moxie Marlinspike, who last week presented his controversial SSL stripping attacks at Black Hat Federal, appears to have released his much-anticipated demonstration tool for performing MITM attacks against would-be SSL connections. This vulnerability has been met with everything from calls for more widespread EV certificate deployment to an even more fervent push for DNSSEC."

10 of 208 comments (clear)

  1. Alternatives by jetsci · · Score: 4, Interesting

    I guess the question then is, what do we use as an alternative? What can we even do?

    --
    Bored at work? Play Game!
    1. Re:Alternatives by Dekortage · · Score: 2, Interesting

      Really, you should already be wary when a site asks you for login information over HTTP rather than HTTPS.

      Maybe. The login form might be located on an HTTP page, but as long as the form submits to an HTTPS page, your login credentials are still SSL-encrypted. Conversely, if you have an HTTPS login form, but the form action goes to an HTTP site, your credentials are NOT encrypted.

      --
      $nice = $webHosting + $domainNames + $sslCerts
    2. Re:Alternatives by kybred · · Score: 2, Interesting

      Your first login attempt may fail as the password is redirected to the attacker, but once your attacker has your password, he can return things to normal so your second login attempt will succeed. You'll just think you mistyped the password on the first try.

      That's why I always type my password in wrong on purpose the first time!

  2. Re:Not the end of the world by IBBoard · · Score: 3, Interesting

    If you read some of the articles (Forbes and a linked one) he can spoof the appearance of a valid certificate as well using International Domain Names. The certificate won't be valid for the site that you wanted, but that won't matter because it'll have redirected you to https://a/ load of characters that look like 'paypal.com/somepath' but are actually non-ASCII characters].evil.com with a wildcard certificate for *.evil.com and look like https://paypal.com/some-path-here-that-is-really-really-really-really-long.evil.com/

    For the basic attack then actually checking for HTTPS and a proper validation (not just a padlock, but a padlock and the other markers), but for the fuller attack that takes advantage of the IDN then you'd probably need to read the certificate itself, which would require you to know which certificate you're expecting, which would require something like a page with the signature on saying "look for this", which could then also be spoofed (in cases where it was worth it, e.g. a bank).

  3. EV certificates by Lieutenant_Dan · · Score: 2, Interesting

    "for more widespread EV certificate deployment"

    That's probably being sold by Thawte. And considering that a lot of browsers out there still don't support EV.

    Extended validation? When I pay for a digital cert, I expect a high level of validation anyways. Makes you wonder, what level of validation they've been doing for the past few years.

    SSL always MITM as one of its exploits. There's a lot of network gear (e.g. Cisco's IronPort) that do just that in order to enforce security policies of an organization.

    --
    Wearing pants should always be optional.
  4. Hype by TheRealJobe · · Score: 2, Interesting

    Please don't get me wrong, this will make a nice addition to a toolbox. However, the hype I have seen tied to this tool is overwhelming. It seems like conferences have become more reliant on over-hyping items like these to promote the conference name more than anything else.

  5. Re:Not the end of the world by QuoteMstr · · Score: 2, Interesting

    The certificate won't be valid for the site that you wanted, but that won't matter because it'll have redirected you to https://a/ load of characters that look like 'paypal.com/somepath' but are actually non-ASCII characters].evil.com with a wildcard certificate for *.evil.com and look like https://paypal.com/some-path-here-that-is-really-really-really-really-long.evil.com/

    Hrm. I must have missed that; it's a clever trick. Then again, I've always thought international domain names were gratuitously unnecessary.

    The solution to this problem is simple, and I'm surprised browsers don't do this already: add fake '/' character isn't in the IDN blacklist. In Firefox, network.IDN.blacklist_chars already contains plenty of things that look like '/'. Maybe other browsers need to follow its example.

  6. Re:Not the end of the world by hal9000(jr) · · Score: 2, Interesting

    The solution to this problem is simple, and I'm surprised browsers don't do this already: add fake '/' character isn't in the IDN blacklist. In Firefox, network.IDN.blacklist_chars already contains plenty of things that look like '/'. Maybe other browsers need to follow its example.

    Do you know if FF will detect blacklist characters for all TLD's or just the non-IDN TLD's like .com and .net?

  7. An anarchist resource since 2004? by edgewedge · · Score: 2, Interesting

    Holy crap, looking at the source to sslstrip, this was written in 2004! I wonder if the anarchist underground hacking scene has had access to this for all that time? Why release it now I wonder?

  8. Re:Huge pet peeve by QuoteMstr · · Score: 2, Interesting

    Of course users won't actually read the warning. The point is to annoy users so that webmasters eliminate the behavior causing the annoying warning.