Moxie Marlinspike demonstrated another way to compromise SSL based website at the BlackHat DC 2009,which is the HTTPS stripping tool called SSLStrip.
For example if we are looking to check our email on Gmail, we open our browser and we start typing the address: mail.google.com or gmail.com, and we don’t care about the page if it starts http:// or https://, because we know that it turns out automatically. Switching to protected resources is carried out through the normal http-protocol and it is possible to intercept it.
Moxie Marlispike has presented his second program called SSLStrip, the Idea behind the SSLStrip is that it can help attacker to intercept the request for a secure connection from the victim and force him to communicate over non secure http connection.
The tool is developed with python and it replaces secure links to non secure. So the picture is wonderful a server sends the entire content in secure channels for all clients, and the victim does not receive any warning or even suspect that he is using an unsecured connection. All traffic is not encrypted and in clear.
Moxie Marlinspike has run his tool SSLStrip on Tor proxy and in 24 hours he managed to get the following number of authentication credential:
- login.yahoo.com – 114
- Gmail – 50
- ticketmaster.com – 42
- rapidshare.com – 14
- Hotmail – 13
- paypal.com – 9
- linkedin.com -9
- facebook.com – 3
Actually SSLStrip is a very advanced way that combines homographic attack to create a Man In The Middle, this type of attack is based on user confusion to make him believe that the website is legitimate.
make sure you subscribe to my RSS feed!