.

Attacking SSL - SSLStrip

<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Tue Feb 24, 2009 3:51 am

Attacking SSL - SSLStrip

This is one of the buzz presentations on SSL at Blackhat, the one Chris said he missed, well... here it is. The article, the tool and the video of presentation.

VERY similiar to The Middler by Jay beale? SSL becomes less and less appealing. In conjunction both tools are valuable.

Tool: SSLStrip

Video of Presentation: New tricks for defeating SSL in Practice

PDF Slides

Searchsec article below

How do you exploit Hypertext Transfer Protocol Secure (HTTPS), tightly wrapped in SSL or TLS?

According to Moxie Marlinspike, you don't. You exploit the HTTP it's built on. If you think about it, he told a Black Hat DC Briefings audience Wednesday, people encounter SSL by clicking on a link and being redirected to an HTTPS-secured page when they log into banking, webmail or shopping websites.

Marlinspike unveiled a hacking technique which intercepts Web traffic and tricks users into giving up passwords and other sensitive information. With the aid of a new tool called SSLstrip, Marlinspike demonstrated how easy it is to trick users into thinking they are on a trusted, secure website.

"People only encounter HTTPS via HTTP, so maybe we can think about starting by attacking HTTP," he said. "Normally, if we're doing man-in-the-middle attacks against SSL, we go straight for SSL, straight after that connection. But if SSL depends on this other protocol, why don't we look at that first?"

The trick, said Marlinspike, is duplicating a Web environment in which people are comfortable, in which they feel safe. Not long ago, he said, websites emphasized what he called positive feedback. You see the ubiquitous padlock icon and perhaps the URL address window turned a reassuring color.

But now, newer browsers like Firefox 3 and IE8 display dire, in-your-face warnings that only the most reckless Web surfer would ignore. So, if you're trying to trick people into inputting their credit card numbers into Web pages they think are secured by SSL --but that you own -- you want them to see a page that looks almost, if not completely normal. Positive feedback is pretty subtle.

"If we trigger negative feedback, we're totally screwed. People only care if it's catastrophic problem: 'Look out!'" he said. "If we fail to trigger positive feedback, maybe it's not so bad. People aren't really keeping an eagle eye out for all those positive indicators."

The basic idea is to intercept Web traffic with a new tool called SSLstrip. The tool switches the hyperlink reference (href) from HTTPS to HTTP and swaps the user to an insecure look-alike page. The server thinks everything is secure, because it is unaware of the exchange between the victim and the client, and the client gets no warning.

ou can even add your own padlock icon to improve the user's comfort level.

Once you've got what you want from the victim, SSLstrip can be set to drop out and the user is once again presented with an SSL-protected page after the damage is done.

User names and passwords are particularly desirable targets.

"The real nice thing about passwords is that people reuse their passwords. So, if you get their passwords to one site, you've probably got their passwords to 10 or more sites," Marlinspike said.
Last edited by Jhaddix on Tue Feb 24, 2009 4:52 am, edited 1 time in total.
<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Tue Feb 24, 2009 6:30 am

Re: Attacking SSL - SSLStrip

Aside from this getting A LOT of press, here is the blackhat interview Jeff Moss did with him:

Jeff Moss w/Moxie Marlinspike
<<

Ne0

Jr. Member
Jr. Member

Posts: 62

Joined: Thu Sep 04, 2008 5:28 pm

Post Tue Feb 24, 2009 4:27 pm

Re: Attacking SSL - SSLStrip

jhaddix

good one, yeah heard abt him today morning, now banks and ecommerce, or other secure educational community would be sweating after this tools release now nothing is more secure now.... i wish .gov, .edu. .in. are searching for some other creepy secure ways to escape from this
<<

kcirtap

Newbie
Newbie

Posts: 9

Joined: Fri Dec 01, 2006 1:03 am

Post Wed Feb 25, 2009 3:14 pm

Re: Attacking SSL - SSLStrip

just finished watching the video a while ago... scarry... :o
C|EH, GPEN
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Wed Feb 25, 2009 4:01 pm

Re: Attacking SSL - SSLStrip

I watched it, actually used it as a CPE for a couple of certs :)  It was definitely a good presentation.  I guess a couple of browsers from now, some of the issues will be fixed to limit this attacks' effectiveness.  It's just one thing after another for SSL, isn't it?  Session hijacking, sidejacking, ssl stripping, oh my.
~~~~~~~~~~~~~~
Ketchup

Return to Tools

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software