Highlights
– New tool to be released by hacker performs a “man-in-the-middle” attack on seemingly secure websites
– Hacker has used his tool to demonstrate that he could steal password, credit card numbers, and other sensitive information from unsuspecting users
– Additional training of Internet users and re-design of websites will help combat the latest threat to the security protocol, SSL
At the Black Hat security conference hosted in Washington D.C. from February 16 – 19, 2009, an independent hacker and security researcher announced he would be releasing a software tool for removing Secure Sockets Layer (SSL) protection widely used by websites and other applications to encrypt data traversing the Internet. The researcher who goes by the name Moxie Marlinspike stated he would be releasing the free software program called “SSLstrip” that would perform what is known as a “man-in-the-middle” attack on seemingly secure websites, including banking sites, web-based e-mail, and e-commerce sites. Marlinspike showed how requested web pages that included a login box, such as the home page of many banks, can be intercepted and forged. He explained that his program is able to work because the vast majority of sites that use SSL begin by showing visitors an unencrypted page and only offer SSL protection for sections where sensitive information is transmitted.
To begin, the program is installed on a proxy server – a server (a computer system or an application program) that acts as a go-between for requests from clients seeking resources from other servers. The proxy server is then placed on the local area network (LAN), such as a free wireless hotspot network, and receives the web page request from the victim, sends the request to the intended website, handles any redirection to an SSL-encrypted “https” page by the server and returns an exact duplicate to the user, without the encryption, also known as a “http” connection. The “SSLstrip” tool fools the server delivering the requested content into believing that the secure webpage has been delivered to the requesting user. To better impersonate the security measures some users have come to expect, “SSLstrip” even adds a padlock icon that appears beside the web address, offering users a false sense that the can safely input secure information.
The author of “SSLstrip” tested his program on a public server he hosted for users of the Tor anonymous browsing network, and stated that he was able to acquire passwords to 117 e-mail accounts, 16 credit card numbers, seven Paypal logins and approximately 300 other logins to supposedly secure sites ranging from Gmail to Ticketmaster to Facebook.
Since many browsers use different icons, various alert messages, or written assurances that a site is “secure,” Marlinspike says these signals have lost their meaning. According to Marlinspike, “sites have really confused people with a bunch of different signs that often say they’re secure when they’re not.” “So now when they see any sign of security, they’ll put all their secure stuff up on a site without thinking.”
Redesigned Websites Along with More User Education Will be Needed
The latest exploit to the SSL protocol unveiled at this year’s Black Hat conference highlights many of the design vulnerabilities present in today’s web browser technology, and in the way developers are designing websites. An easy fix to the latest vulnerability according to the tool’s developer is for web page developers to encrypt everything. Another approach suggested by security experts is for users to type the entire “https” (secure) web address into a browser’s address bar so a tool like “SSLstrip” never gets a change to alter a website’s unencrypted link.
In the near term, we expect financial institutions, web-based e-mail providers, and e-commerce websites to redesign their websites in a manner where all communications with their clients are encrypted. We also expect these institutions to increase their efforts to educate their users on how to defeat this type of threat, along with the steps they can take to ensure the information they are entering into their computers will traverse the internet safely.