Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

SSL attack announced at Blackhat DC

Published: 2009-02-21
Last Updated: 2009-02-21 05:27:24 UTC
by Jason Lam (Version: 1)
0 comment(s)

Moxie Marlinspike presented a way to attack SSL communication during Blackhat conference in DC this week. The video of the presentation can be found here. Rather than a technical breakthrough, this is an improvement in attacking technique.  There will a tool called sslstrip that implement the techniques mentioned to be released later in the month.

Normally, SSL man-in-the-middle attacks comes up ugly warning messages. To circumvent the warning messages, Moxie suggested to force all HTTPS traffic to HTTP (HTTP session to the man-in-the-middle). This allow for better sniffing and injection since HTTP is in the clear and most importantly, no SSL warnings are generated.

You may ask, what about that padlock. Moxie suggested to inject a padlock icon in the favico.ico file so the padlock icon shows up in the browser, making the user believe this is still a "secure" connection.

For solution to this problem? There is no easy solution that will completely mitigate this attack technique. Part of the problem is the browser and the other part is user education. Different browser layout makes it difficult for user to recognize what a secure site should look like and in addition, we have the fundamental issue, how do the user know site X is really site X without manipulation. Maybe browser vendors can come up with consistent way for user to determine whether a site is SSL protected or not.

EV certs provide a bit of help here, user have a much more positive way of identifying a site is SSL protected and the cert is legit. But then, the user will have to get used to a specific site having EV certs before it is useful as a visual clue.

--------------------------
Jason Lam

Keywords:
0 comment(s)
Diary Archives