[Owasp-cincinnati] SSL Strip?
Marco M. Morana
marco.m.morana at gmail.com
Fri Feb 20 18:41:01 EST 2009
Honestly this is BH Jeff Moss hype...
The weakness is not SSL in my opinion but the fact that attacking the user is always the weakest ring of the chain.
Now how many user are aware of using HTTPS instead of HTTP or even pay attention to a valid SSL certificate? Probably many. Is SSL the problem? No.
Can we do better? yes, How? Deploy MFA, SSL EV, Mutual Certificate etc. So what is new on this that we did not know already apart a new tool to prove the point?
Regards
Marco
http://www.theregister.co.uk/2009/02/19/ssl_busting_demo/
By Dan Goodin in San Francisco
The Register
19th February 2009
Website encryption has sustained another body blow, this time by an
independent hacker who demonstrated a tool that can steal sensitive
information by tricking users into believing they're visiting protected
sites when in fact they're not.
Unveiled Wednesday at the Black Hat security conference in Washington,
SSLstrip works on public Wi-Fi networks, onion-routing systems, and
anywhere else a man-in-the-middle attack is practical. It converts pages
that normally would be protected by the secure sockets layer protocol
into their unencrypted versions. It does this while continuing to fool
both the website and the user into believing the security measure is
still in place.
The presentation by a conference attendee who goes by the name Moxie
Marlinspike is the latest demonstration of weaknesses in SSL, the
encryption routine websites use to prevent passwords, credit card
numbers, and other sensitive information from being sniffed while in
transit. Similar to side jacking attack from 2007 and last year's
forging of a certificate authority certificate, it shows the measure
goes only so far.
"The attack is, as far as I know, quite novel and cool," said fellow
researcher Dan Kaminsky, who attended the Black Hat presentation. "The
larger message of Moxie's talk is one that a lot of people have been
talking about actually for a few years now: This SSL thing is not
working very well."
[...]
----- Original Message -----
From: Edward Sumerfield
To: OWASP Cincinnati
Sent: Friday, February 20, 2009 9:38 AM
Subject: [Owasp-cincinnati] SSL Strip?
What do you experts think of this issue? Should we be closing down our merchant sites yet?
http://www.itpro.co.uk/609932/website-danger-as-hacker-breaks-ssl-encryption
Ed Sumerfield
Ed Sumerfield Consulting, LLC
http://www.edsumerfieldconsulting.com
513-295-7016
------------------------------------------------------------------------------
_______________________________________________
Owasp-cincinnati mailing list
Owasp-cincinnati at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-cincinnati
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-cincinnati/attachments/20090220/2d463f0e/attachment.html
More information about the Owasp-cincinnati
mailing list