Home & Office

Researcher demonstrates SSL attack

Moxie Marlinspike has demonstrated a man-in-the-middle attack that could allow an attacker to intercept login details for supposedly secure websites.
Written by Tom Espiner, Contributor
A security researcher has demonstrated a way to hijack Secure Sockets Layer (SSL) sessions to intercept login data.

Moxie Marlinspike, who spoke at the Black Hat security conference on Wednesday, explained how to subvert an SSL session by performing a man-in-the-middle attack. The anarchist researcher explained in a YouTube video that the attack uses a tool developed called SSLstrip, which exploits the interface between http and https sessions.

"SSLstrip man-in-the-middles all of the potential SSL connections on the network, specifically attacking the bridge between http and https," Marlinspike said in the video.

Secure Sockets Layer, and its successor Transport Layer Security, are cryptographic protocols used to encrypt communications over TCP/IP networks. SSL and TLS are often used by banks and other organizations to secure web transactions.

The attack relies on users not directly calling up an SSL session by typing a URL into a browser. Most users initiate sessions by clicking on a button. These buttons are located on unencrypted http pages, and clicking on them will take users to encrypted https pages to log in.

"That opens up all kinds of avenues for ways that you might intercept [details]," Marlinspike said. In his Black Hat presentation, he claimed to have gathered details on 117 email accounts, seven PayPal logins and 16 credit card numbers, within a 24 hour period.

SSLstrip works by watching http traffic, then by acting as a proxy when a user attempts to initiate an https session. While the user believes the secure session has been initiated, and SSLstrip has connected to the secure server via https, all traffic between the user and SSLstrip is http. This means "disastrous warnings" displayed by browsers are avoided, as to the browser the session appears normal. Login details can then be harvested.

Marlinspike said that an https padlock logo can be spoofed in the URL bar, to further lull the user into a false sense of security.

While SSL is generally accepted as being secure, security researchers have claimed SSL communications can be intercepted. In August last year, researcher Mike Perry said he had been in discussions with Google regarding an exploit he planned to release, which would allow a hacker to intercept a user's communications with supposedly secure websites over an unsecured Wi-Fi network.

This article was originally posted on ZDNet.co.uk.

Editorial standards