February 24, 2011 at 4:28 pm #6125manoj9372Participant
I have been studying a lot regarding cryptography these days,
I tried to learn the indpeth operations of the ssl stripping,but i got strucked at a point,so tought of asking here,
As far as i have learnt First attacker capturing or listening the victims traffic with arp spoofing/arp poisoning(in most cases) and applys ssl stripping and decode the traffic and passing it back as a “http” traffic to the victim ,this is how i assume ssl stripping works,
1)like the same way can we strip out a ssh or any kind of encrypted traffic?
2)if suppose a victim is using multiple encryptions means what will happen?
for example say a victim is using a vpn,inside the vpn he is using some ssh tunneling to access the g-mail account,so now at this stage 3 layers of encryptions are there
i.e ssl for vpn,ssh encryption,another ssl for g-mail,now at this junction is it possible for a attacker to strip out these multiple encryptions?
3)Also why not the ssl encryption developers are not developing a technology that can verify data integrity like the IP-SEC standards? why they are merely developing some complex algorithms and focusing more and more on increasing the strength on the encryption,why they are not focusing any thing on data integrity?
4)i have been thinking about some LAW enforcement level ssl decryption after i seen the following device
what makes me amuzed was,there are class of hackers just strip the ssl and access the plain text,this is the most come scenarios we are seeing in the real world,but there exists another side,which is being missed by most of the professionals,the law enforcement guys are using like this
victim aka bad guy
>ssl stripping by law enforcement( and after decryption ,they have been re-encrypting the traffic because they have valid digital certificates from the COA’s all over the world)
even tough we don’t have a root certificate , As a pen-tester is it possiblefor us to do like the above?
Because i don’t want my victim to know that i am stripping his traffic,that is the main thing i am willing to learn..
hope i will get my doubts cleared…
February 24, 2011 at 7:40 pm #38381mambruParticipant
you are missing a very important point: man-in-the-middle
February 25, 2011 at 1:24 am #38382manoj9372Participant
couldn’t get your exact point sir,yes i know this is a MITM attack?i am bit confused sir…
March 12, 2011 at 2:17 am #38383dynamikParticipant
No, they’re not passing HTTP back to the user; they’re swapping out the legitimate cert with an untrusted one. The users will be alerted of this, but most will simply click-through. Have you seen the presentation by the creator of sslstrip? It’s worth watching: http://www.thoughtcrime.org/software/sslstrip/
March 26, 2011 at 2:47 am #38384timmedinParticipant
It’s not just that, there is more too it. I you type http://www.paypal.com into your browser you will go to paypal and be redirected to https. SSLStrip will negotiate the secure traffic with the server, but then rewrite it so the user is never sent to the SSL site. No need to see any cert errors on the client side.
I don’t believe it is implemented yet, but since you are in the middle of the connection you can mess with the nline Certificate Status Protocol (OCSP). “Applications are required to check for revocation of the certificate before accepting it. The application should support both CRL and OCSP, although OCSP is clearly the wave of the future and the only scalable approach.
(In his presentation Marlinspike suggests a method for bypassing OCSP by returning a “Try again later” code, in which case the application typically gives up and authenticates. The EV rules state: “If the application cannot obtain a response using one service, then it should try all available alternative services.” This precludes the lazy behavior described by Marlinspike.)”
The “Try again later” code is the only response from the server that is not encrypted. If I remember correctly, most of the browsers will continue to the site if they can’t get a good OCSP response, but you might want to double check.
- You must be logged in to reply to this topic.