Hacker pokes third hole in secure sockets layer

[InfoSec News <alerts () infosecnews org>]

http://www.theregister.co.uk/2009/02/19/ssl_busting_demo/

By Dan Goodin in San Francisco
The Register
19th February 2009

Website encryption has sustained another body blow, this time by an 
independent hacker who demonstrated a tool that can steal sensitive 
information by tricking users into believing they're visiting protected 
sites when in fact they're not.

Unveiled Wednesday at the Black Hat security conference in Washington, 
SSLstrip works on public Wi-Fi networks, onion-routing systems, and 
anywhere else a man-in-the-middle attack is practical. It converts pages 
that normally would be protected by the secure sockets layer protocol 
into their unencrypted versions. It does this while continuing to fool 
both the website and the user into believing the security measure is 
still in place.

The presentation by a conference attendee who goes by the name Moxie 
Marlinspike is the latest demonstration of weaknesses in SSL, the 
encryption routine websites use to prevent passwords, credit card 
numbers, and other sensitive information from being sniffed while in 
transit. Similar to side jacking attack from 2007 and last year's 
forging of a certificate authority certificate, it shows the measure 
goes only so far.

"The attack is, as far as I know, quite novel and cool," said fellow 
researcher Dan Kaminsky, who attended the Black Hat presentation. "The 
larger message of Moxie's talk is one that a lot of people have been 
talking about actually for a few years now: This SSL thing is not 
working very well."

[...]


_______________________________________________      
Best Selling Security Books and More!
http://www.shopinfosecnews.org/