Very good article yesterday on The Register that talks about the issues with SSL. We have been taught over the years that if the website you are visiting uses HTTPS (instead of the standard HTTP address) and you have a little lock icon show up in your browser, then your web frolicking is safe and encrypted.
But that may not necessarily be true.
Security researcher Moxie Marlinspike has shown time and again that SSL can be intercepted and the encryption bypassed. One would just have to look at his program SLLstrip to see this in action.
It works as a man-in-the-middle attack and takes your request for an HTTPS encrypted site, and basically steps in between the process, creating the encrypted link with the target system, but communicating to your system completely unencrypted.
I saw a presentation once by Moxie where he talked about running SSLstrip on a Tor exit node (Tor is a program used for surfing anonymously online). He then mentioned all the passwords, and credit card numbers that SSLstrip was able to pull from Tor users and save in plain text (You don’t shop using Tor do you?). He also talked about the inherent weaknesses of SLL, which was also the topic of The Register’s article.
According to the article, hacker attacks aside, there seems to be little verification checking before certificates are handed out. For example, in 2008 Mike Zusman from the security firm Intrepidus Group was able to purchase a certificate for Microsoft’s Live.com domain. In the same year a separate researcher was able to purchase a certificate for Mozilla.com.
But that is just a few that slipped by right? Not necessarily:
Last week, an analyst from the Electronic Frontier Foundation found that CAs have issued more than 37,000 SSL credentials for so-called unqualified domain names, such as “localhost,” “exchange,” and “exchange01.” These are the prefixes that many organizations append to their domains and use to designate Microsoft exchange servers and other internal resources.
When you add in reports of foreign hackers stealing certificates & creating fake certificates and also hardware devices that perform SSL man-in-the-middle attacks, it sounds like SSL is really in need of an overhaul.