[Owasp-cincinnati] SSL Strip?

Marco M. Morana marco.m.morana at gmail.com
Fri Feb 20 18:41:01 EST 2009

Honestly this is BH Jeff Moss hype...

The weakness is not SSL in my opinion but the fact that attacking the user is always the weakest ring of the chain.
Now how many user are aware of using HTTPS instead of HTTP or even pay attention to a valid SSL certificate? Probably many. Is SSL the problem? No.
Can we do better? yes, How? Deploy MFA, SSL EV, Mutual Certificate etc. So what is new on this that we did not know already apart a new tool to prove the point?




By Dan Goodin in San Francisco
The Register
19th February 2009

Website encryption has sustained another body blow, this time by an 
independent hacker who demonstrated a tool that can steal sensitive 
information by tricking users into believing they're visiting protected 
sites when in fact they're not.

Unveiled Wednesday at the Black Hat security conference in Washington, 
SSLstrip works on public Wi-Fi networks, onion-routing systems, and 
anywhere else a man-in-the-middle attack is practical. It converts pages 
that normally would be protected by the secure sockets layer protocol 
into their unencrypted versions. It does this while continuing to fool 
both the website and the user into believing the security measure is 
still in place.

The presentation by a conference attendee who goes by the name Moxie 
Marlinspike is the latest demonstration of weaknesses in SSL, the 
encryption routine websites use to prevent passwords, credit card 
numbers, and other sensitive information from being sniffed while in 
transit. Similar to side jacking attack from 2007 and last year's 
forging of a certificate authority certificate, it shows the measure 
goes only so far.

"The attack is, as far as I know, quite novel and cool," said fellow 
researcher Dan Kaminsky, who attended the Black Hat presentation. "The 
larger message of Moxie's talk is one that a lot of people have been 
talking about actually for a few years now: This SSL thing is not 
working very well."


  ----- Original Message ----- 
  From: Edward Sumerfield 
  To: OWASP Cincinnati 
  Sent: Friday, February 20, 2009 9:38 AM
  Subject: [Owasp-cincinnati] SSL Strip?

  What do you experts think of this issue? Should we be closing down our merchant sites yet?


  Ed Sumerfield
  Ed Sumerfield Consulting, LLC


  Owasp-cincinnati mailing list
  Owasp-cincinnati at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-cincinnati/attachments/20090220/2d463f0e/attachment.html 

More information about the Owasp-cincinnati mailing list