ARLINGTON, VA -- A combination of poorly educated users, fewer security warnings in browsers, and sites that mix secured and unsecured content allow man-in-the-middle attacks that can sidestep the ubiquitous secure sockets layer (SSL) encryption used to pass login credentials, a researcher told attendees on Wednesday at the Black Hat Security Briefings.
Using a proxy server sitting between the victim and the Internet, security researcher Moxie Marlinspike — his real name, he said — showed how Web requests for pages that included a login box, such as the home page of many banks, can be intercepted and forged. A program on the proxy server sends the request to the Web site, handles any redirect to an SSL-encrypted page and returns an exact duplicate to the user, without the encryption.
While telltale signs of the switch remain — the Web address starts with HTTP rather than HTTPS — most users do not even notice. As an experiment, Marlinspike placed his proxy software on a node in the Tor network and intercepted 200 requests for SSL encrypted pages over 20 hours, including 114 Yahoo! credentials, 50 Gmail credentials and 16 credit-card numbers. None of the users refused to enter their sensitive information into the unencrypted page, he said.
"It is suppose to post to a secure link, but there is no way to know that," Marlinspike said. "There is no disastrous warning."
The presentation demonstrated a practical attack using a collection of already understood weaknesses. In the past, cross-site scripting has been used to inject content into supposedly secure sites.
The security researcher stressed that the attack succeeds because browsers have moved from providing positive feedback when a site is secure to only providing negative feedback when the software detects something wrong. By providing additional cues, such as a locked icon as the favicon, an attacker could make a targeted user more likely to fall for the ruse. In addition, an attacker could use international domain names to create a URL that appears to be a valid address to a major Web site, but in reality, includes '.' and '/' characters from international character sets.
Marlinspike plans to release the code to his software, dubbed sslstrip, by the end of the week.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos