Ah, how comforting to finally know we no longer need to wonder and worry if whatever we do online is accessible to government and criminals equally. It is.

A researcher has found a convincing way to hack the Secure Sockets Layer (SSL) protocol used to secure logins to a range of Websites, including e-commerce and banking sites.

Using a specially-created app, ‘SSLstrip’, a researcher calling himself Moxie Marlinspike demonstrated to Black Hat Arlington, Va attendees at last weekend’s conference how vulnerable many SSL connections were to an involved but clever man-in-the-middle (MitM) attack where a hacker could proxy traffic from users accessing genuine secure https:// website logins.

To prove the usefulness of the attack to a hypothetical criminal, he claimed the hack had given him access to 117 e-mail accounts, 16 credit card numbers, 7 PayPal log-ins and over 300 other “miscellaneous secure logins” in a 24-hour period. Sites involved included Ticketmaster, Paypal, LinkedIn, Hotmail, and Gmail.

The clever bit is that the attack didn’t need to touch the encrypted SSL traffic at all, simply exploit the fact that users almost never call https directly, instead accessing that by calling a conventional http web page first. That fact makes it possible to monitor and map the traffic between the browser and website before the SSL is set up securely, putting itself between the two so that neither site is aware that anything is amiss.

Found by Brother Uncle Don




  1. Ah_Yea says:

    I suspect Firefox will have a patch for this in about 10 minutes…

  2. WmDE says:

    So the story actually is SSL has not been hacked.

  3. keaneo says:

    #2 – beat me to it.

  4. Sinn Fein says:

    Until the US Government:

    A) Declares ALL Gangs as Domestic Terrorist Organizations and/or Organized Crime Syndicates (OMG! THAT’S RACIST!)

    and,

    B) Declares malevolent Hackers and Virus perpetrators as clear and present dangers to national and personal security (OMG! THAT TRAMPLES ARTISTIC FREEDOM OF EXPRESSION!)

    and delivers to them an earned Gitmo-style Due Process (this time with executions for worst case offenders), then we all will remain living under the threat and exploitation of their thug power and whim.

  5. Paddy-O says:

    “The only signal that something is wrong would be the lack of the https:// address in the toolbar, something few users would likely notice, he said.”

    SSL hasn’t been hacked. Man in the middle is old, and I wouldn’t notice the lack of being on an https site?
    Yawn.

  6. Ron Larson says:

    Nothing new here. People who have to work behind corporate internet proxies also experience the exact same thing, on a corporate level. And yes, the proxy has access to the data in the clear. If you are behind a proxy, and go to an SSL site, check the cert details. They will be that of the proxy server.

  7. jbenson2 says:

    The Dvorak editors should double check the headlines for accuracy before posting this sort of bogus information. SSL has not been hacked.

  8. Blinky the Hitman says:

    SSL “protection” is USELESS. It is layered ABOVE the connection protocol (TCP-IP), but BENEATH the application protocols (HTTP, SMTP, etc.). Anybody with a brain can build a “crowbar” in about 300 bytes of JavaScript.

    Yeah, this is OLD.

  9. donvocado says:

    Yeah, pretty much everyone else beat me to it, SSL has not been hacked-ola whatsoever, and MITM scams are about the oldest trick in the book.

    Another note, though, since the title of this story mentions “bank accounts,” etc — most banks and other big institutions are already using Extended validation ssl, which is even HARDER to hack coz sslstrip can’t duplicate a green url bar or ev padlock. So, this really only applies (so far as it applies at all) to non-financial ecommerce sites and the like (as well as social networks, password harvesting is getting popular), etc.

  10. Uncle Patso says:

    I _knew_ this new-fangled Internets thing would be nothing but trouble! (Get off my lawn!)

    I was alarmed at first by the headline, but nowhere near as scared as I was by # 4 Sinn Fein. Man! Keep that guy away from the controls!

  11. Glenn E. says:

    SSL isn’t broken (hacked). Its the weak ass browser and OS, that uses it. They’ve yet to harden every link (or layer) in the software chain, against these intrusions. They, being the major software makers.

  12. Bob says:

    @ #11, Just how exactly is it the browser’s fault? If a user goes to a http site to log in, then the site instructs the browser to go to a bogus site after the login is completed because of a poisoned DNS record, then how is it the browser’s fault?

    If anything, the site is at fault for not forcing users to https before the login page appears. But there again, it’s up to the idiot user to recognize that they are not using a secured connection. There’s only so much the browser can do to notify users of secured connections without pissing the users off with annoying messages and flashing colors.

  13. Todd Peterson says:

    No no no – SSL isn’t hacked. Uncle Dave has misunderstood this one.


0

Bad Behavior has blocked 6116 access attempts in the last 7 days.