Software sorta lets you cut through SSL encryption like nobody’s business

Break out the siren.gif! One of those security research types demonstrated last week how he was able to get around SSL authentication, enabling him to collect private information—Gmail login/passwords, credit card numbers, and the like—with very little trouble at all. It’s not a flaw in SSL itself, but a flaw in the way people use the Web.

The researcher, Moxie Marlinspike (that’s what he goes by, at least), developed an application called SSLstrip that uses a simple man in the middle (MITM) attack to force the victims’ browsers to forward all information—passwords and the like—to his computer before going to, say, Gmail. Say you type gmail.com into your browser, instead of going straight to Google’s servers, the request is routed through the computer where SSLstrip is installed, which then passes on the request to Google’s servers; you, the user who initially typed gmail.com into your browser, has no idea that your info was redirected somewhere else, of course.

As for the SSL stripping itself

the hack takes advantage of the fact that communication between an HTTP server and your computer aren’t secured at all. So you type gmail.com into your browser and then input your username/password, then Google’s SSL server kicks in, but the hacker already has your info. So, the SSL itself was never hacked, rather that your traffic was intercepted even before SSL enters the picture.

The quick solution to defend against this is to go directly to SSL sites by typing https://whatever.com into your address bar.

I seem to recall Ettercap having a similar feature, being able to read SSL-encrypted traffic.

crunchgear.com

|