Researcher demonstrates SSL attack

Researcher demonstrates SSL attack

Summary: Moxie Marlinspike has demonstrated a man-in-the-middle attack that could allow an attacker to intercept login details for supposedly secure websites.

TOPICS: Networking, Security
A security researcher has demonstrated a way to hijack Secure Sockets Layer (SSL) sessions to intercept login data.

Moxie Marlinspike, who spoke at the Black Hat security conference on Wednesday, explained how to subvert an SSL session by performing a man-in-the-middle attack. The anarchist researcher explained in a YouTube video that the attack uses a tool developed called SSLstrip, which exploits the interface between http and https sessions.

"SSLstrip man-in-the-middles all of the potential SSL connections on the network, specifically attacking the bridge between http and https," Marlinspike said in the video.

Secure Sockets Layer, and its successor Transport Layer Security, are cryptographic protocols used to encrypt communications over TCP/IP networks. SSL and TLS are often used by banks and other organizations to secure web transactions.

The attack relies on users not directly calling up an SSL session by typing a URL into a browser. Most users initiate sessions by clicking on a button. These buttons are located on unencrypted http pages, and clicking on them will take users to encrypted https pages to log in.

"That opens up all kinds of avenues for ways that you might intercept [details]," Marlinspike said. In his Black Hat presentation, he claimed to have gathered details on 117 email accounts, seven PayPal logins and 16 credit card numbers, within a 24 hour period.

SSLstrip works by watching http traffic, then by acting as a proxy when a user attempts to initiate an https session. While the user believes the secure session has been initiated, and SSLstrip has connected to the secure server via https, all traffic between the user and SSLstrip is http. This means "disastrous warnings" displayed by browsers are avoided, as to the browser the session appears normal. Login details can then be harvested.

Marlinspike said that an https padlock logo can be spoofed in the URL bar, to further lull the user into a false sense of security.

While SSL is generally accepted as being secure, security researchers have claimed SSL communications can be intercepted. In August last year, researcher Mike Perry said he had been in discussions with Google regarding an exploit he planned to release, which would allow a hacker to intercept a user's communications with supposedly secure websites over an unsecured Wi-Fi network.

This article was originally posted on

Topics: Networking, Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Well

    that's not good! ]:)
    Linux User 147560
  • RE: Researcher demonstrates SSL attack

    Amazingly I'm the first one to comment! I would have thought that this is pretty major news. I think everyone has been stunned in to silence.

    A properly secure way to use an SSL connection is to make the button an SSL link to an SSL page as I have here ,so as long as your site is designed this way it's no big deal.
    • RE: Researcher demonstrates SSL attack

      yes its a great important news though many financial sectors lies on secure transaction and in SSL protocol, the authentication process is decoupled with the session establishment. its an another great risk to perform MITM attacks.
    • Oddly enough, I got an error message.

      Your security certificate appears to be expired. You may want to look into that. Your site's pretty cool, though.
  • RE: Researcher demonstrates SSL attack

    Wow, thats pretty scary dude!

  • RE: Researcher demonstrates SSL attack

    The latest in the seemingly neverending stream of techniques meant to expose ssl as flawed...really, though, once again this shows that it's not ssl itself that's flawed but the manner in which browsers transition from unencrypted to encrypted sites. That, indeed, needs to be improved, and would pretty much put all the MITM spoofs and scams out of business immediately. As The UK Register's article pointed out as well, there are more robust encryption technologies out there that are impervious to MITM, such as extended validation (simply because it's impossible to replicate). Eventually this phishing style will die out, it's just going to require some education and investment.
  • No secrets & No wealth == So what?

    If only the whole world economy went to the fair use GPL standard and people started being completely open and honest, we would not need security. There would be nothing to steal and no reason to be hostile.

    Everything would be just...OK. People could just listen in on whatever they wanted.

    Puff Puff blue sweet smelling smoke.

  • Not really SSL attack - plain HTML trust attack

    Given the method of attack and the fact that the user never gets to SSL connection, this article is wrong kind of alarm.

    Once more this exploit is a trust based attack on the assumed actions of unencrypted HTML.

    Specifically this attack is easily defeated by NEVER opening plain HTTP:// pages -- which should really be the modern browsing standard.
    • Campaign for SSL/TLS only Browser & Sites

      When even Smart phones can handle SSL with ease...why are we still using plain vulnerable HTTP:// pages?

      Sure it is slight additional server load... solved by excess CPU or SSL network cards for heavily used servers.

      But think of all the costs saved over simple trust exploits.

      Write your government, Open Source coders, even limp Microsoft about this.
  • RE: Researcher demonstrates SSL attack

    Well, as a result of this article being published here, many more people or hackers want to be's know how to attempt an HTTPS attack. Some things are best kept as secrets. Maybe this article should have been sent as an excrypted email to major corporation IT professionals instead of the general public.