.

SSL Rebinding & EV SSL MITM attack

<<

g00d_4sh

User avatar

Sr. Member
Sr. Member

Posts: 394

Joined: Tue Sep 18, 2007 1:50 pm

Location: Guayaquil, Ecuador

Post Wed Aug 19, 2009 4:58 pm

SSL Rebinding & EV SSL MITM attack

So this last Sunday I got together with my local DC group. We went over the "Best of Defcon" and all that.  Good times.  Lots of BBQ, lots of Beer, and projection slides and demos of owning stuff. :)  One of the fun highlights was going over the SSL rebinding and the broken nature of SSL.  Here is a link to a site that has a demo. 

http://stub.bz/sslrebinding/
"Bad.. Good?  I'm the guy with the gun"
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Wed Aug 19, 2009 9:50 pm

Re: SSL Rebinding & EV SSL MITM attack

So, if you wanted to run this tool, you would just spider the site with a standard cert to create your offline mirror and then use the SSL rebinding tool to proxy the connection between your offline copy and the real site?
~~~~~~~~~~~~~~
Ketchup
<<

g00d_4sh

User avatar

Sr. Member
Sr. Member

Posts: 394

Joined: Tue Sep 18, 2007 1:50 pm

Location: Guayaquil, Ecuador

Post Thu Aug 20, 2009 12:00 pm

Re: SSL Rebinding & EV SSL MITM attack

Main things we went over in our group was showing how you can get legit certs from most all of the root CA's for... whatever site.  Get one for paypal from verisign... one for gmail from... m$, etc etc.  Some of the root CA's automated systems even allow for snagging a 'legit' cert for *.  Yeah.... *.  Hehe.  Ironically, IE is one of the few browsers that won't accept a cert for *.  Apparently the developers decided that any cert with * as it's target was probably... not really legit.  Suffice to say, getting your own certs for target sites is part of it.  I dont' think they set up the full site for this one.  It was just showing how you can bump a user from an EV cert to a "legit" if... sketchy DV cert for the same site... and how it is pretty much impossible for them to notice.  (A 5 second wait was put in the video on this part to show the green bar turning to blue, then back to green).  You then use the MITM attack to pop them to your dv cert, snag the credentials, and then pop them back on their ev certed page that they thought they were still on.  The tool automates the process.  Someone could sit in a coffee shop with a bunch of certs... and snag creds for tons of various sites that rely on SSL for security. 

Our "lodge" is actually doing another little interesting loophole.  You can send comodo 200 bucks.... and they will make you a "Certifying Partner".  Or something along those lines.  Long story short, you can sign certs for others with CA authority.  Can anyone say... abuse? 
"Bad.. Good?  I'm the guy with the gun"

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software