sslstrip, hijacking SSL in network

Last week at Black Hat DC, [Moxie Marlinspike] presented a novel way to hijack SSL. You can read about it in this Forbes article, but we highly recommend you watch the video. sslstrip can rewrite all https links as http, but it goes far beyond that. Using unicode characters that look similar to / and ? it can construct URLs with a valid certificate and then redirect the user to the original site after stealing their credentials. The attack can be very difficult for even above average users to notice. This attack requires access to the client’s network, but [Moxie] successfully ran it on a Tor exit node.

Comments

  1. nick says:

    scary cool, yet another reason to go to my bank or store in person.

  2. Andrew says:

    This is a hacker’s hack – a really cool proof of concept. But in the real world, someone would have to hack your bank, your ISP or your home network. If they root the bank (e.g. Heartland) why bother with SSL traffic, just get the raw data. If they get your PC, they can grab keystrokes regardless of how good the network security is. And let’s face it, there are a lot of people who can be fooled by a site that just looks the same, never mind the URL or certificate. Although, just maybe, a wireless hotspot at a hotel or cafe might be a candidate for sslstrip. I think it would be hard – diverting traffic through a PC instead of going straight to a switch – but it’s probably easier than hacking an ISP or bank.
    The paper is worth a read:
    http://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf
    .. hey, maybe combine it with the BGP attack: https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-pilosov-kapela.pdf (that was amazing – stole all the DEFCON traffic for an hour or so..)

  3. Andrew says:

    Nick, with all due respect, doing business in person at a bank is way more statistically likely to have your information stolen. Most low-paid tellers get routine access to hundreds of thousands of dollars worth of accounts and make for easy marks in identity theft schemes.
    Typing in your bank URL and checking the certificate is still, despite this risk, safer in my opinion.

  4. dustin says:

    just goes to show everyone i was right in holding my money underneath my bed at home… you’ll never get it NEVER!!!!!

    all joking aside this is just another reason to be smarter online you never know who maybe watching you

  5. Jango says:
  6. ex-parrot says:

    I believe Firefox has patches this vulnerability to a degree by not allowing homographic characters to be used in IDN URLs.

    http://www.mozilla.org/projects/security/tld-idn-policy-list.html for more info

  7. atrain says:

    ex-parrot:
    So you just use an international tld. That’s exactly what he does in his his lecture, uses a .cn site. You get you own cert for it, etc.

    Even that isn’t really necessary since 99% of people wouldn’t be able to notice the difference between http and https.

  8. steaky says:

    question:

    As opposed to just bank, ISP and user PC, couldnt this be done on a dns server or someones router?
    or, as he said, on a Tor node.
    it would seem that the people that could get burned with this use the tor network and so, stereotypically dont want ppl seeing what they are doing.

  9. ejonesss says:

    that is an extremely dangerous program.

    for those who care about the security of their online transactions needs to be careful

  10. supershwa says:

    heh crap — i read this article after completing a payment card industy self-assesment questionnaire for a client’s merchant account.

    i’ll pretend i never saw this.

  11. ex-parrot says:

    atrain: even for TLD’s such as .cn, they have a filter in place for blocking fraudulent characters.

    check the list of links to policies I linked :)

  12. IceBrain says:

    Hey, this doesn’t hijack https! Hijacking would mean tack over a established connection. This redirects the user “before” a ssl connection is made, to a similar site. If you’re already loggen in to the bank, they can’t hijack you, the connection is encrypted.

    And there’s a simple way to tell if you’re on the right website before logging in: Just try to login with false data first. The fake website won’t know it’s false and will let you “login”, but the real website will give you “wrong password”.

  13. DarkFader says:

    This calls for some IDS to be installed. Anyone know some good one for OS X with not too much overhead and in a nice .dmg/.app package?

  14. A.B.Z says:

    icebrain you should be called nobrain. Ive tested this on firefox and even if you type in the wrong pssword it wont log you in.

  15. IceBrain says:

    a.b.z.: You’re right, I didn’t read the part where they “redirect” the user to the real webserver. AFAIK most phishing pages don’t do that.

    Is there any tips on how to avoid this? If we type the url by hand using “https” it should be safe, no?
    But my bank redirects me to http to login :facepalm:

  16. smyd says:

    pffft it is just phishing. Move along.

  17. The key capture window is predicated on using a PS2 keyboard. Try again.

  18. Also, the laser map key capture feels a bit off because:

    A: if it’s a laptop (where the screen is bolted on to the keyboard) it might be more simple to get a logger onto the machine via it’s weak wireless transfers.

    B: who is using a laptop outside doing anything worth capture?

    C: if someone is using a laptop outside while doing anything of sensitivity, and he or she is behind glass, how does that attenuate the signal’s strength? Window treatments? Polarization? At what point would proximity be hindered to a point of futility?

    D: the carrier laser would have to be in the non visible spectra to convey the data without detection of the target. That entails using a camera instead of a simple sensor to see the IR scatter from the laser on the “laptop”s screen or some area for alignment, greatly complicating things as the sample rate of the ccd would have to be very high, and thats contra indicative of using the on-board sound as an ADC. Sure, you could build some sort of alignment mechanics to compensate for a simple 3d index of the screen, with a reduction in return power over the angle of observation, but by then, the camera implementation would be cheaper. I would rather socially engineer my way into the cookie and boogie. Still, a nice paper though!

  19. web user says:

    I just read about 8 comments of absolute drivel. I hereby declare half of you (at least) to be crap headed. If you were in binary form (a file) I would rm -rf every trace of you.

    Respectfully sincere,
    Web User

  20. eric fajardo says:

    Moxie made a good presentation with defeating SSL over HTTPS. Cheating the traffic to be redirected to solely HTTP is very crafty in deed. This is basically true for public / not-so secured websites like Yahoo and Google and the rest, but I guess finding way to smash in for some corporate traffic would be hard if:

    1. Force-all traffic as HTTPS in the infrastructure side.
    2. Using a 2FA for all standard, remote access.
    3. Combining 2FA with OTP for all logins.

    I believe that Two-Factor-Authentication is not fool-proof though, but it can definitely make a pain in the ass for a guy listening on your wire to gain access.

  21. nobann says:

    Lol
    all of you dunno anything
    it’s not phishing lol
    It’s arp poisoning + redirection through hacker computer then sslstrip do some makup…
    if u understand how internet works, you will never feel secure since the lower level isnt secure …

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 92,417 other followers