By Dan Goodin in San Francisco
19th February 2009
Website encryption has sustained another body blow, this time by an
independent hacker who demonstrated a tool that can steal sensitive
information by tricking users into believing they're visiting protected
sites when in fact they're not.
Unveiled Wednesday at the Black Hat security conference in Washington,
SSLstrip works on public Wi-Fi networks, onion-routing systems, and
anywhere else a man-in-the-middle attack is practical. It converts pages
that normally would be protected by the secure sockets layer protocol
into their unencrypted versions. It does this while continuing to fool
both the website and the user into believing the security measure is
still in place.
The presentation by a conference attendee who goes by the name Moxie
Marlinspike is the latest demonstration of weaknesses in SSL, the
encryption routine websites use to prevent passwords, credit card
numbers, and other sensitive information from being sniffed while in
transit. Similar to side jacking attack from 2007 and last year's
forging of a certificate authority certificate, it shows the measure
goes only so far.
"The attack is, as far as I know, quite novel and cool," said fellow
researcher Dan Kaminsky, who attended the Black Hat presentation. "The
larger message of Moxie's talk is one that a lot of people have been
talking about actually for a few years now: This SSL thing is not
working very well."
Best Selling Security Books and More!