[Owasp-cincinnati] SSL Strip?

James Walden james.walden at gmail.com
Sat Feb 21 10:32:16 EST 2009


> The weakness is not SSL in my opinion but the fact that attacking the user is
> always the weakest ring of the chain.

Agreed.  SSLstrip is nothing new.  The problem with SSL isn't the
protocol, but the user ignoring its warnings.  I don't think there's
going to be a general solution to that, though there is enormous room
for improvement in security user interfaces.  One user study found
that users were more likely to respond to a phishing attack if they
received a browser warning about the certificate--they didn't read the
error at all, but just skimmed something with the word security and
felt reassured.

Firefox 3's interface for handling bad certificates is much better
than other browsers, so we might see some improvements with time.
There are also tools like Passpet (http://passpet.org/) that greatly
reduce the chance of user error by changing how passwords are handled
in the browser.  You can find a variety of innovative security
interface ideas at the SOUPS conference
(http://cups.cs.cmu.edu/soups/).

James Walden
http://faculty.cs.nku.edu/~waldenj/


More information about the Owasp-cincinnati mailing list