madison
Home / News & Blogs

Researcher demonstrates SSL attack

Tom Espiner ZDNet.co.uk | February 20, 2009 9:38 AM PST

Summary

Moxie Marlinspike has demonstrated a man-in-the-middle attack that could allow an attacker to intercept login details for supposedly secure websites.

Topics

Researcher, HTTP, SSL, Attack, Moxie Marlinspike, SSLstrip, Ssl/Tls, Authentication/Encryption, Network Security, Networking, SSL attack, security, hackers, Tom Espiner ZDNet.co.uk
A security researcher has demonstrated a way to hijack Secure Sockets Layer (SSL) sessions to intercept login data.

Moxie Marlinspike, who spoke at the Black Hat security conference on Wednesday, explained how to subvert an SSL session by performing a man-in-the-middle attack. The anarchist researcher explained in a YouTube video that the attack uses a tool developed called SSLstrip, which exploits the interface between http and https sessions.

"SSLstrip man-in-the-middles all of the potential SSL connections on the network, specifically attacking the bridge between http and https," Marlinspike said in the video.

Secure Sockets Layer, and its successor Transport Layer Security, are cryptographic protocols used to encrypt communications over TCP/IP networks. SSL and TLS are often used by banks and other organizations to secure web transactions.

The attack relies on users not directly calling up an SSL session by typing a URL into a browser. Most users initiate sessions by clicking on a button. These buttons are located on unencrypted http pages, and clicking on them will take users to encrypted https pages to log in.

"That opens up all kinds of avenues for ways that you might intercept [details]," Marlinspike said. In his Black Hat presentation, he claimed to have gathered details on 117 email accounts, seven PayPal logins and 16 credit card numbers, within a 24 hour period.

SSLstrip works by watching http traffic, then by acting as a proxy when a user attempts to initiate an https session. While the user believes the secure session has been initiated, and SSLstrip has connected to the secure server via https, all traffic between the user and SSLstrip is http. This means "disastrous warnings" displayed by browsers are avoided, as to the browser the session appears normal. Login details can then be harvested.

Marlinspike said that an https padlock logo can be spoofed in the URL bar, to further lull the user into a false sense of security.

While SSL is generally accepted as being secure, security researchers have claimed SSL communications can be intercepted. In August last year, researcher Mike Perry said he had been in discussions with Google regarding an exploit he planned to release, which would allow a hacker to intercept a user's communications with supposedly secure websites over an unsecured Wi-Fi network.

This article was originally posted on ZDNet.co.uk.

Talkback Most Recent of 10 Talkback(s)

  • Well
    that's not good! devil
    ZDNet Gravatar
    Linux User 147560
    20th Feb 2009
  • RE: Researcher demonstrates SSL attack
    Amazingly I'm the first one to comment! I would have thought that this is pretty major news. I think everyone has been stunned in to silence.

    A properly secure way to use an SSL connection is to make the button an SSL link to an SSL page as I have here http://caspianit.co.uk ,so as long as your site is designed this way it's no big deal.
    ZDNet Gravatar
    scifisi
    20th Feb 2009
  • RE: Researcher demonstrates SSL attack
    yes its a great important news though many financial sectors lies on secure transaction and in SSL protocol, the authentication process is decoupled with the session establishment. its an another great risk to perform MITM attacks.
    ZDNet Gravatar
    Dass_pec
    21st Feb 2009
  • Oddly enough, I got an error message.
    Your security certificate appears to be expired. You may want to look into that. Your site's pretty cool, though.
    ZDNet Gravatar
    heres_johnny
    5th Mar 2009
  • RE: Researcher demonstrates SSL attack
    Wow, thats pretty scary dude!

    RT
    www.anonymity.eu.tc
    ZDNet Gravatar
    RTTECH82
    22nd Feb 2009
  • RE: Researcher demonstrates SSL attack
    The latest in the seemingly neverending stream of techniques meant to expose ssl as flawed...really, though, once again this shows that it's not ssl itself that's flawed but the manner in which browsers transition from unencrypted to encrypted sites. That, indeed, needs to be improved, and would pretty much put all the MITM spoofs and scams out of business immediately. As The UK Register's article pointed out as well, there are more robust encryption technologies out there that are impervious to MITM, such as extended validation (simply because it's impossible to replicate). Eventually this phishing style will die out, it's just going to require some education and investment.
    ZDNet Gravatar
    mammasjoy@...
    23rd Feb 2009
  • No secrets & No wealth == So what?
    If only the whole world economy went to the fair use GPL standard and people started being completely open and honest, we would not need security. There would be nothing to steal and no reason to be hostile.

    Everything would be just...OK. People could just listen in on whatever they wanted.

    Puff Puff blue sweet smelling smoke.

    ROFLMAO
    ZDNet Gravatar
    wellduh
    11th Mar 2009
  • Not really SSL attack - plain HTML trust attack
    Given the method of attack and the fact that the user never gets to SSL connection, this article is wrong kind of alarm.

    Once more this exploit is a trust based attack on the assumed actions of unencrypted HTML.

    Specifically this attack is easily defeated by NEVER opening plain HTTP:// pages -- which should really be the modern browsing standard.
    ZDNet Gravatar
    wellduh
    11th Mar 2009
  • Campaign for SSL/TLS only Browser & Sites
    When even Smart phones can handle SSL with ease...why are we still using plain vulnerable HTTP:// pages?

    Sure it is slight additional server load... solved by excess CPU or SSL network cards for heavily used servers.

    But think of all the costs saved over simple trust exploits.

    Write your government, Open Source coders, even limp Microsoft about this.
    ZDNet Gravatar
    wellduh
    11th Mar 2009
  • RE: Researcher demonstrates SSL attack
    Well, as a result of this article being published here, many more people or hackers want to be's know how to attempt an HTTPS attack. Some things are best kept as secrets. Maybe this article should have been sent as an excrypted email to major corporation IT professionals instead of the general public.
    ZDNet Gravatar
    tphillips
    18th Jan 2010

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity