SSL Issues: From Man-in-the-Middle Attacks to Foreign Hackers

Very good article yesterday on The Register that talks about the issues with SSL. We have been taught over the years that if the website you are visiting uses HTTPS (instead of the standard HTTP address) and you have a little lock icon show up in your browser, then your web frolicking is safe and encrypted.

But that may not necessarily be true.

Security researcher Moxie Marlinspike has shown time and again that SSL can be intercepted and the encryption bypassed. One would just have to look at his program SLLstrip to see this in action.

It works as a man-in-the-middle attack and takes your request for an HTTPS encrypted site, and basically steps in between the process, creating the encrypted link with the target system, but communicating to your system completely unencrypted.

I saw a presentation once by Moxie where he talked about running SSLstrip on a Tor exit node (Tor is a program used for surfing anonymously online). He then mentioned all the passwords, and credit card numbers that SSLstrip was able to pull from Tor users and save in plain text (You don’t shop using Tor do you?). He also talked about the inherent weaknesses of SLL, which was also the topic of The Register’s article.

According to the article, hacker attacks aside, there seems to be little verification checking before certificates are handed out. For example, in 2008 Mike Zusman from the security firm Intrepidus Group was able to purchase a certificate for Microsoft’s domain. In the same year a separate researcher was able to purchase a certificate for

But that is just a few that slipped by right? Not necessarily:

Last week, an analyst from the Electronic Frontier Foundation found that CAs have issued more than 37,000 SSL credentials for so-called unqualified domain names, such as “localhost,” “exchange,” and “exchange01.” These are the prefixes that many organizations append to their domains and use to designate Microsoft exchange servers and other internal resources.

When you add in reports of foreign hackers stealing certificates & creating fake certificates and also hardware devices that perform SSL man-in-the-middle attacks, it sounds like SSL is really in need of an overhaul.


6 thoughts on “SSL Issues: From Man-in-the-Middle Attacks to Foreign Hackers”

  1. Moxie ever get his laptop back? Been taking the oldest one out for a little war driving in the evenings. Don’t know what’s funnier, the names people give their networks, or the number of open LinkSys AP’s out there.

    1. Lol, I think so. I don’t think he ever trusted it again afterwords. Thank goodness we have rights in this country. 🙂

      Man Philo, want to see something that will just make you sick, check out the NOVA documentary – “The Spy Factory”.

      I hear you on the AP’s. Philo, I am the technical editor for a very cool book that should be out soon on Wi-Fi penetration testing. I’ll let you know when it is released, it has some very good wireless security information in it and some of the best step by step tutorials that I have seen yet.

      1. Right on! Can’t wait to read it. The only thing more ridiculous than the number of unsecured Ap’s was the number of networks named, “10Fx…” that you just had to add a zero to for the encryption key. Thank you lazy ISP’s for the free Internet! lol

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.