What is Digg?Sponsored by HowLifeWorks
Who Gets To Use Unsold Cruise Cabins at Huge Discounts view!
howlifeworks.com - How to access once-in-a-lifetime trips at significantly less than full price
34 Comments
- hawkeye22, on 02/22/2009, -2/+23Ignore comment #2 (mooninite) - he's a ***** douchebag. Read through the entire presentation, and you'll see how you can indeed maintain a genuine SSL connection with https in the address bar if you combine this attack with homography. Dugg the article just because mooninite buried it.
- mooninite, on 02/22/2009, -20/+37"SSLstrip works by watching http traffic, then by acting as a proxy when a user attempts to initiate an https session. While the user believes the secure session has been initiated, and SSLstrip has connected to the secure server via https, all traffic between the user and SSLstrip is http. This means "disastrous warnings" displayed by browsers are avoided, as to the browser the session appears normal. Login details can then be harvested."
So if you're stupid and don't look at your URL bar to make sure that it says https:// then I guess you're meant to be screwed with.
This is not an "SSL attack." Buried. - HappyScrappy, on 02/22/2009, -1/+17Not accurate. This is not an attack on SSL, it is an attack on browsers use of SSL.
Why does this matter? Because, for example, ssh uses ssl. And this attack cannot be used on ssh, because it isn't an SSL attack. - FurtThePirate, on 02/22/2009, -3/+15Why the ***** would I look at the address bar at every login just to make sure I'm safe? You sir underestimate my laziness.
- ironiridis, on 02/22/2009, -1/+11Well, yes and no. That icon can be spoofed... if you're not very aware. 99% of [lazy] spoofing is designed to look like IE6 in Windows XP. Like those idiotic "You have a virus!" ads.
However, more robust spoofs are very possible and have been done. Detecting the browser, even detecting what theme you're using in Firefox. No exploit can cover every possibility, but they can cover enough to make the exploit profitable. Firefox now includes an identifier inside the URL bar which pertains to the certificate of the HTTPS site you're connected to. While [again] not impossible to spoof, this is more difficult than just generating a padlock icon. - hawkeye22, on 02/22/2009, -1/+10Hey smartass - I guess you didn't read all 99 slides of the presentation. The latter half explains exactly how you can use your own wildcarded SSL certificate to get round exactly this problem. Asshat.
- nadalbg, on 02/21/2009, -2/+10Maybe they just want to manipulate our digg accounts :p
- Dudemeyster, on 02/22/2009, -1/+8Moxie Marlinspike is an awesome name.
- twiztidsinz, on 02/22/2009, -0/+6Firefox's is huge.....
.....and green
.....and huge. - deboerpa, on 02/22/2009, -0/+6I would not want to ***** with a dude named Moxie Marlinspike
- NUMBER4940, on 02/22/2009, -0/+5i rarely look for the 's', but i check for the lock icon or the highlighted address...same thing?
- bicyclethief, on 02/22/2009, -0/+5I bet his hacker handle is like "Jim."
- dtfinch, on 02/22/2009, -0/+4I have a client side script make sure that the url starts with https as expected. It'd be easy to strip out, but someone who's just out to capture everything, not targeting one specific site, might not bother.
- inactive, on 02/22/2009, -2/+6Foxie Darlingdyke is an awesome dame.
- fenny45, on 02/22/2009, -0/+3Didn't they say in the vid that they could spoof that?
- inactive, on 02/22/2009, -0/+3you'll jizz.
- compu73rg33k, on 02/22/2009, -0/+3I find it more work to not glance at the address I'm at. Just a habit I suppose...
- selphishnerd, on 02/22/2009, -0/+3This isn't new. I saw several people mention this idea at Decon back in August.
In fact, I was watching a Dan Kaminsky talk from 2007 and he talked about this... - touch0ph, on 02/23/2009, -0/+3Inaccurate title. The problem isn't with SSL but rather the way that many websites use redirection to an SSL page. If anything, I would say this is more of a web design problem.
- thecheatah, on 02/22/2009, -0/+2If I am trying to connect to a https connection, how are you gono forward my browser to an http site? Unless browsers dont mind connecting to http protocol over https port. Which I doubt.
- ALLENLKELLY, on 07/31/2009, -0/+2Tim Callan, vice president of product marketing at VeriSign,
responds to the Black Hat presentations in his new SSL blogpost:
https://blogs.verisign.com/ssl-blog/2009/07/busy_d ...
He fills some of the holes that Marlinspike and Kaminsky dug.
@allenkelly - bicyclethief, on 02/22/2009, -0/+2He gets sent back to the 5th dimension if you get him to say his name backwards.
- OBKenobi, on 02/22/2009, -0/+2Digg is a matter of global security. Something must be done about this grievous intrusion immediately.
- inactive, on 02/22/2009, -0/+2she is?
- crypticcipher, on 02/22/2009, -0/+2Man in the middle attacks are generally the hardest to prevent or detect.
This is less of an SSL hack and more of social engineering as is the typical modus operandi much like phishing or spoofing.
Just like anything on the internet, user beware. - whytey, on 02/22/2009, -0/+2Certificate Chains Can Be <3
- RonnyN, on 02/23/2009, -0/+2How can someone be so smart to do all that, but when it comes to pluralizing the word "CA", he writes "CA's"?
- Tellie, on 02/25/2009, -0/+2Seriously. His voice and speaking pattern is ***** creepy!
- FxChiP, on 02/22/2009, -2/+3The attack actually lies in the certificate verification that most web browsers do. Essentially, it's the process of having your own certificate, then generating *another* certificate for another site (say, PayPal Inc.), signing it with *your* certificate, then presenting the other certificate. That way, OpenSSL/web browser/what have you will go "Okay, this certificate is for PayPal, signed by l33th4x0r, signed by [agency], signed by [agency2], signed by VeriSign. The certificate path checks out, the domain in the certificate checks out, so this is a valid certificate."
Essentially it's a way to pass off PayPal (or other companies') certificates as legit, even though they're not, simply because the "trail" is authentic. The attack also lies in the flaw that when the browser/SSL implementation is tracing back certificates, it doesn't bother to check whether the certificate is a CA certificate or not, just whether it really did sign the next -- which would be another fix. It's not an SSL exploit per se, just an exploit that takes advantage of an oversight in 99% of the SSL implementations out there. - Boondoggle, on 02/23/2009, -0/+1Sadly Digg doesn't implement any encryption around the login process as far as I can tell. Everything is in the clear.
- Theril, on 02/22/2009, -0/+1I should RTFA
- musntSurfatWork, on 02/22/2009, -0/+1so, do we expect another tab or radio button in the Internet Options screen, to check off more security levels? I wish I knew how to decifer all the differences in those security options, seems like an alphabet soup of preventative measures, only to have everday trojans and adware still creep into our machines somehow,
- inactive, on 02/22/2009, -1/+1but you are coming out
- lead2thehead, on 02/22/2009, -4/+2Not really an SSL attack, but it's still pretty cool. Most people don't know the difference between http and https. The browser's security system hinges hinges on the user noticing that 9x9 pixel lock on the status bar. I'll bet that 90% of internet users don't even know what it means.
© Digg Inc. 2009
— Content created and posted by Digg users is