How to secure SSL following new man-in-the-middle SSL attacks

Man-in-the-middle SSL attacks at Black Hat D.C. exposed a flaw in the https structure, so how can you avoid such an attack at your enterprise? Find out in Mike Chapple's expert response.

Mike Chapple, University of Notre Dame

I heard a researcher at Black Hat DC bypassed SSL by a man-in-the middle attack that exploits the interface between HTTP and HTTPS. Does that mean that SSL is insecure?

It's true that Moxie Marlinspike presented some new SSL attack techniques at Black Hat DC this year. Moxie's attack is a variation on the traditional man-in-the-middle attack in which an attacker intercepts a client's requests to a Web server, establishes his or her own connection to the Web server, makes the request on behalf of the client, and then passes the results back to the originator. This allows the client to interact with the website normally, seeing the expected data while the attacker monitors the communication and can, in fact, issue whatever commands to the website he or she wishes.

Normally, man-in-the-middle attacks are easily detected because the attacker can't forge the SSL certificates necessary to create a secure connection to the remote website. This causes the user to see a bunch of error messages and warnings regarding the validity of the SSL certificate.

How did Moxie defeat this problem? By simply removing the SSL from the user's connection! This attack uses a tool called SSLstrip that changes all of the user's requests to HTTP connections, which are passed to the man-in-the-middle attacker in the clear. The attacker then establishes a real SSL connection to the server and makes the request on behalf of the client. From the server's perspective, everything looks like a legitimate, secure connection. If the user isn't paying careful attention, looking for the HTPPS URL or the lock icon, there aren't any obnoxious warning errors alerting them to the problem.

The solution to this problem lies in user education. Users must understand the importance of looking for the lock to verify the website is using secure HTTPS communication with a valid SSL certificate. So what's the bottom line? There's nothing wrong with SSL. Security teams simply need to ensure users understand when it's in place.

For more information:

Should iPhone email be sent without SSL encryption? Read more.
Learn more about the risks of connecting a Web service to an external system via SSL.

This was last published in March 2009

How to secure SSL following new man-in-the-middle SSL attacks

Man-in-the-middle SSL attacks at Black Hat D.C. exposed a flaw in the https structure, so how can you avoid such an attack at your enterprise? Find out in Mike Chapple's expert response.

Dig Deeper on VPN security

What VPN alternatives should enterprises consider using?

HTTPS interception gets a bad rap; now what?

Insecure SSL coding could lead to Android man-in-the-middle attacks

POODLE (Padding Oracle On Downgraded Legacy Encryption)

Related Q&A from Mike Chapple

Stateful vs. stateless firewalls: Understanding the differences

Wired vs. wireless network security: Best practices

The difference between AES and DES encryption