SSL attack announced at Blackhat DC
By secgeeks - Posted on February 22nd, 2009
Tagged:
248
vote
Moxie Marlinspike presented a way to attack SSL communication during Blackhat conference in DC this week. The video of the presentation can be found here. Rather than a technical breakthrough, this is an improvement in attacking technique. There will a tool called sslstrip that implement the techniques mentioned to be released later in the month.
Normally, SSL man-in-the-middle attacks comes up ugly warning messages. To circumvent the warning messages, Moxie suggested to force all HTTPS traffic to HTTP (HTTP session to the man-in-the-middle). This allow for better sniffing and injection since HTTP is in the clear and most importantly, no SSL warnings are generated.
You may ask, what about that padlock. Moxie suggested to inject a padlock icon in the favico.ico file so the padlock icon shows up in the browser, making the user believe this is still a "secure" connection.
Continue reading here....
Bookmark/Search this post with:
Recent comments
30 weeks 5 days ago
33 weeks 2 days ago
1 year 2 weeks ago
1 year 2 weeks ago
1 year 2 weeks ago
1 year 18 weeks ago
1 year 34 weeks ago
2 years 25 weeks ago
2 years 26 weeks ago
2 years 28 weeks ago