
Spotlight \| Reviews \| Current Issue \| Academy \| Newsletter \| Subscribe \| Shop \|

Online

News

Features

Blogs

RSS Feeds

White Papers

Conference Videos

Departments

Community

Resources

Current Issue

Special Editions

Spotlight

Reviews

Event Calendar

Admin Magazine

Subscribe now and save!

ADMIN - Explore the new world of system administration! Special introductory offer! Order by September 30th to save 10% off the regular subscription price! Each issue delivers technical solutions to the real-world problems you face every day. Learn the latest techniques for better:

network security
system management
troubleshooting
performance tuning
virtualization
cloud computing

on Windows, Linux, Solaris, and popular varieties of Unix.

http://www.admin-magazine.com/

linux-magazine.com » Online » News » Attack on SSL Users Discovered, Tool Sources Released

Attack on SSL Users Discovered, Tool Sources Released

Feb 23, 2009

SSL won't come to a rest: the newest attack isn't about encryption or errors in the Secure Sockets Layer protocol, it's about the weakest link in the chain -- the user.

Moxie Marlinspike had already developed sslsniff in 2002. Based on certificate chaining, the client proxy tool intercepts HTTPS traffic from the server and switches the certificate with its own. Assuming a correct configuration and current browser, the result of its use removes any associated attack opportunities. But, asks Marlinspike, what if the client browser doesn't do any SSL queries?

That's why the San Franciscan developed a further proxy named sslstrip (see his presentation slides). The sslstrip tool searches for embedded links, such as https://.../login.php, originating from server webpages and replaces all HTTPS links with like-named HTTP links, such as http://.../login.php, while remembering the original HTTPS target. When the user clicks the modified URL, the sslstrip proxy recognizes it and opens an SSL connection with the server, which sends the webpage, albeit over a nonsecure connection.

In this way the man-in-the-middle (MITM) attacker can access all information from the connection. Such a scenario has an obvious application for online banking where only an HTTP start page might appear, but with visible SSL links and icons that give at least a visual sense of security. Often users ignore warning dialogs and click through them. In the case of an sslstrip intervention, the user doesn't even get the warning dialogs, because no apparent invalid HTTPS connection is created. His browser simply doesn't create a secure connection. The kind of MITM attacks this can provide, and how users might be totally unaware of them, is clearly indicated in Marlinspike's "New Tricks for Defeating SSL in Practice" slides.

After some wide-ranging debate last week about sslstrip, the tool is now available for download. It comprises about 1,000 lines of Python code and is under GLPv3 licensing.

(Nils Magnus)

Comments

Related Articles
Debian Update Introduces Security, Bans Adobe Flash
25C3: Severe Vulnerabilities in SSL and SSH
Network Security Toolkit Gets General Overhaul
Lynis Shell Skript Checks Unix Security
Chrome 2.0 Alpha: Linux Version in June
Chuck Norris Botnet Affects Linux Routers

Special Linux Magazine 3 for 1 Offer

Get 3 Issues + 3 DVDs for the price of a single issue!

Let Linux Magazine's hands-on, technical articles guide you in your daily Linux use. Check out bonus DVDs like Ubuntu, SUSE, or Fedora and save the download.

Only available for a limited time. Don't miss out!

more...