ARLINGTON, Va. -- How do you exploit Hypertext Transfer Protocol Secure (HTTPS), tightly wrapped in SSL or TLS?
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.
According to Moxie Marlinspike, you don't. You exploit the HTTP it's built on. If you think about it, he told a Black Hat DC Briefings audience Wednesday, people encounter SSL by clicking on a link and being redirected to an HTTPS-secured page when they log into banking, webmail or shopping websites.
Marlinspike unveiled a hacking technique which intercepts Web traffic and tricks users into giving up passwords and other sensitive information. With the aid of a new tool called SSLstrip, Marlinspike demonstrated how easy it is to trick users into thinking they are on a trusted, secure website.
"People only encounter HTTPS via HTTP, so maybe we can think about starting by attacking HTTP," he said. "Normally, if we're doing man-in-the-middle attacks against SSL, we go straight for SSL, straight after that connection. But if SSL depends on this other protocol, why don't we look at that first?"
Black Hat DC Briefings:
The trick, said Marlinspike, is duplicating a Web environment in which people are comfortable, in which they feel safe. Not long ago, he said, websites emphasized what he called positive feedback. You see the ubiquitous padlock icon and perhaps the URL address window turned a reassuring color.
But now, newer browsers like Firefox 3 and IE8 display dire, in-your-face warnings that only the most reckless Web surfer would ignore. So, if you're trying to trick people into inputting their credit card numbers into Web pages they think are secured by SSL --but that you own -- you want them to see a page that looks almost, if not completely normal. Positive feedback is pretty subtle.
"If we trigger negative feedback, we're totally screwed. People only care if it's catastrophic problem: 'Look out!'" he said. "If we fail to trigger positive feedback, maybe it's not so bad. People aren't really keeping an eagle eye out for all those positive indicators."
The basic idea is to intercept Web traffic with a new tool called SSLstrip. The tool switches the hyperlink reference (href) from HTTPS to HTTP and swaps the user to an insecure look-alike page. The server thinks everything is secure, because it is unaware of the exchange between the victim and the client, and the client gets no warning.
You can even add your own padlock icon to improve the user's comfort level.
Once you've got what you want from the victim, SSLstrip can be set to drop out and the user is once again presented with an SSL-protected page after the damage is done.
User names and passwords are particularly desirable targets.
"The real nice thing about passwords is that people reuse their passwords. So, if you get their passwords to one site, you've probably got their passwords to 10 or more sites," Marlinspike said.