Re: SSL MITM fun.

[Fyodor <fyodor () insecure org>]

On Thu, Feb 19, 2009 at 01:04:33PM -0500, Dan Moniz wrote:
> On Thu, Feb 19, 2009 at 12:07 PM, Dave Aitel <dave () immunityinc com> wrote:
>
> > https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf
> >
> > Essentially he details 3 attacks (from what I can tell):
> > 1. Register a .cn address and use unicode character for / and ? to
> > have HTTPS://www.paypal.com/?domain.cn?<some args> validate
>
> Unless I'm missing something, this is essentially what Eric Johanson
> said in 2005 about IDN:

Moxie credits 3ric by name on slide 87.  But the browsers have made
adjustments to prevent 3ric's exact attacks.  Moxie demonstrates ways
to generalize the attacks a bit and also get around the new
restrictions (such as refusing to render IDN in the com TLD).

The slides give numbers for how many people he apparently fooled with
the MITM attacks (e.g. 16 credit card numbers and 7 PayPal logins and
300 other https logins in 24 hours), but it isn't clear from the
slides alone where he performed the attacks.  Maybe a coffee shop?
I'm hoping it was on the Black Hat DC network before his presentation
:).

Some of the information in the slides is already well known, but I
hope he can shame organizations (particularly the banks and browser
vendors) into actually doing something about it.

Also, the presentation gives the http://thoughtcrime.org URL for his
sslstrip software, but I don't see it there yet.  I currently just see
his old sslsniff program.

Too bad he doesn't talk about extended validation certs, as they
certainly have their own spoofing problems too.  Particularly if one
can get hold of a non-EV (domain validated) cert for the domain.

Cheers,
Fyodor

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave